Metrics That Suck Even Less

Good morning. Thank you all for coming, especially for taking time out from all the really, really cool hacker stuff that's going on in the other rooms to come here and talk a little bit about risk analysis and metrics. My name is W Williams. I'm a um manager of security had a slow startup in Northeast called Latus engines. I've pretty much done everything in information security from public infrastructures, many directories LDAP vulnerability assessments, etc., etc. You can read the laundry list. Uh the key thing is that um so I've been doing risk analysis for about six, seven years now. uh using various methodologies and um I was very excited a few years ago to learn of some

systematic attempts to some metrics behind risk analytics and I've discovered that nobody should ever share the formulas they've shared the ideas they've shared methodologies but the actual formulas produced analysis oh it's proprietary that's nice and then Dr. Lloyd stood up in front of a crowd of B size attendees back this past um February or March at the RA um B size conference and gave a great talk on risk analytics with the idea that you know we can derive some metrics by using that we have in front of us. I want to take that one step further but before I do I want to thank Dr. my boy for introducing the idea that you can talk about risk and

metrics at besides event um and some of my mentors and some of the other folks who inspired me to work in this field. So let's start out with putting ourselves on the same plate. What the hell do I mean when I talk about information risk? What is risk? Information risk is a subset of business risk. It is not the cops that drive the machine. It is something that works within the machine that is already working. It should help business people make business decisions, not help security people say business no you can't do that many different definitions for risk. Um this is my classic one. Risk is the probability of event times impact of the same

event. I'm sorry to say that this is garbage. Uh, this allows you to classify spam, a high probability but negligible impact event having exactly the same risk as a bomb going off in the lobby of the building. An extremely low probability but high impact. When it comes to formulas used to analyze is this more important than that? We spend the same amount of money to protect against this than that. This is garbage. This does not help you make an intelligent decision. And yes, this is the metric our government uses to do risk analytics. This is from NIST. So what is risk and how can we measure it? Um I took a look at the ISO 275

definition. A lot of people talk about ISO compliance 271 472. ISO's got a great standard in 275 that has been extended and it is designed to be flexible and extensible. But the idea is that a risk is the potential to give you threats will have an impact on an asset, a group of assets or an entire company causing harm to the organization. I like that word harm. It's the same thing as impact. That's a metric. That's something that we can tangibly measure. The trick is to get you an understanding of what is are the threats, what are the vulnerabilities, what are the assets and finally what are the different parts. There are different methodologies that you can use to get those points.

Obviously I'm going to be working on five here but Octave is great if you happen to like it. It takes a lot of effort to drive into a non-military organization. Risk it is great if you're using If you're not using corporate inside your organization so well if you're stuck in the government and you can't use octave you're probably use this and that's got that classic definition of risk that's just got to go and finally there's Tara and Tara does the same sort of thing for Intel that Dr. did for the rest of us and that takes a look at packed risk. Now, as you go through a risk analysis process that fits inside of a

risk management process, remember the goal here is not to stop at analysis. The goal here is to manage your risks. And all of these charts that you see here are stolen literally from a lovely paper that I will cite in just a few minutes. Well, the idea is how is risk identified? How is risk estimated? How is risk evaluated? Let's start with identification. What are the assets in your scope? Are you looking at the entire company? You're looking at a subset of the company. Are you looking at project in front of you? That defines what you mean by scope. What are the threats impacting that scope? What are the controls within scope? What are the

vulnerabilities? probably most important from at least my perspective are what are the consequences if you get this wrong or what are the consequences if someone gets through the protection. The open group took item 275 and inserted that methodology I made reference to without meaning it earlier and that's the factor analysis and information list fair is a great methodology of doing data analytics but they don't publish the formulas they keep those proprietary if you go to the organization behind it and you say okay this is wonderful stuff I want to use your tools they're going to hand you a check or an invoice for $30,000 love to how you use our tools. I have no idea what their tool

does. I'm not attempting to reverse engineer their tool, but I took their ideas, their ideas specifically as refined open integration of their tool into that five and I said, you know, this is fair done better and I invented my own tool and that's part of what I'm so first of all, what's an asset? Some people can say my asset is my combo. Some that's a very lowc cost asset, but for a sales manager that just might be his most important asset. Other people are going to say my assets my internet connection. Other people are going to say my assets this mainframe. Another person is going to say no, my assets are my customers. Guess what? They're all

right. There is no one definition for an asset within an organization. We should not be telling them, "No, I only want to look at this kind of asset." No, we need to be looking at every single asset to your organization. Listen to what they have to tell you. Get an idea, an estimation of how valuable those assets are to the individual you're talking to and aggregate that data. If they don't know how valuable they are, talk to them about what would happen if this was not available to you for a 24-hour period of time. If you put the question in those terms, you'd be surprised exactly how quickly you get value out of an asset

definition. And oh, by the way, staples may be assets, but you don't put them in a bank vault just because they happen to be business assets. Different assets do have different levels of value and security. Now, value is much more than just money. Value could be the criticality of something, the sensitivity, the loss of productivity. disappear. It could be the cost of responding to an incident of something that hit that asset. The value could be around fines incurred. It could be the impact your reputation. The asset value could be the impact of the investments, something that you might not know about three years down the line. All of these things can be estimated if you can't computate the

exact value, but try to just use questions such as what What would happen to you? What would happen to your organization? What would happen to the larger organization if this was not available for a defined period of time? Then extrapolate out from that. That gets you to impact that get you to harm. You've already got the beginnings of a metric. Trick is that these are always going to be just estimates and you can get to better estimates. threats. Different kind of threats have different kind of impacts. But the lovely thing is that the things that you do sometimes protect against one kind of threat are things that you do to protect against other kinds of threats. So a

bomb, an earthquake, a tornado, tsunami, you can protect against them the same different way. What you're protecting against is impact. You're not protecting against the actual stuff itself. So if you protect going to be risk or a threat, you're done. If there's no way for the threat to act on an asset, you're protected. A great category of threats that's out there ready to use are the basil threat categories. Nice thing is that the basil threat categories provided us with this measurement. It's old. It's venerable. It's a risk spreadsheet. And the risk spreadsheet that I'm using is based upon this work by the way that I'm fully willing to distribute the tool that I've used. Just uh give me your contact data

and I'll cover some pretty reason categories external fraud, employee practices, crimes, standard assets, business disruption execution delivery process management. Excellent categories with a heck of a lot of details behind all of that. This is chart. I don't expect you to read it. It's all within the spreadsheet and it's all very well laid out. And obviously, some things are going to be more applicable to you than others, but you can add to this if there's something that you need that's a threat to your organization. That's just not covered. These things are extensible. Controls, we all have them, I hope, and they can all be better. I sure do. You should know what your controls are. You should know why you have the

controls you have. You should know how effective they are. We all know how to get to that point. That's why right here, that's why we sit down and talk with each other. But in case you didn't know, how do you get this knowledge? You ask, we order the test. Simple basic stuff. The control cataloges that I'm that I've used in the spreadsheet are based upon isop. It's not perfect. It is a a starting point. You can use bits if you prefer. You can use if you prefer. You can use PTI if you prefer. They all come with the same basic elements. Vulnerability. This is a method through which a threat can act on an asset. Some people confuse vulnerability

with risk. It's possible to have business risk without having any vulnerabilities. That's why we have recovery facilities. That's why we have business continuity facilities because you simply don't find and you may need to recover from something that there was no way to plan on. You do not plan on a meteorite in your production facility. What you can do is you can

recover methods which threaten

the impact that's where I like to focus impacts and sense most can be represented that Okay. But not all impacts comprise the value of an asset. Some impacts are going to comprise the value of multiple assets. Don't be afraid to aggregate here as well. When you're taking a look at this, look at the loss of productivity. That's hard to quantify, but you can do so in person hours. Look at the cost of the response. How much it will take you to go from point A to point C into the response plan including of course speech dislo what's the cost replacement what's the cost of competitive advantage what kind of fines you going to face what's

going to be the impact your reputation all of these things can be quantified and if you don't know the hard numbers use estimates put something now your CFO says one thing about the value of an asset. Your CEO says something else. Your CTO says a third thing. Who's right? They all are. Beautiful thing is that numbers can be aggregated. You don't have to play the game of this person's more important to my company than that person. So I must use his numbers even though I think that person's numbers accurate. Use all the numbers. Don't play sides. analysis. Why we're all understand the impact each has establish a scale proportional to the impact proportional to the frequency

proportional to the strength and capability of the threat in the control and of course the vulnerabilities themselves. In order to measure breast one first must measure impact frequency capability control and vulnerability. The trick is that some of these things together kind of overlap. So a loss of frequency can be expressed if you choose to as a factor of vulnerability and threat of frequency. That's getting right out of hand. But what if you don't know what the uh vulnerability level? What if you don't know the threat event frequency? You can estimate at a higher level. Depending on the data, you know, you can drive down or drive up in where you apply. And this is again right out of

that risk analysis. And most people find themselves where they know what vulnerability is, but they don't know necessarily what the capability or control space are. So, they'll work for vulnerability. Or they might have an idea of how easy it is to contact or come in contact with that particular set of data, but they wouldn't understand really what's the probability of action. You can put in estimates at any point here.

abilities of hacker, how capable is the threat, and how strong is your own strength? And yes, CVS numbers provide a point of comparison. If you're going to be using CVS numbers, at least be honest and say that the CVS numbers that you have are not. That's why you're provided with a calculator. the uh calculator uh that's provided by this is actually a very very nice tool to place the measurement of that vulnerability in the context of your organization. It's a lot of work. involves every single vulnerability that you have that you care about going into the system and putting in some external data that could not be put in um generically that is specific to your

organization to drive the actual CVS v2 number with that particular vulnerability in the context of where it is within your organization and you may find something that's generically a 10 turns out to be really a five That's important for using CDS metrics in order to derive this value of that vulnerability or the criticality of that vulnerability. Now, probability. I love this. Everybody gets probability wrong. Everybody in this room has a 100% probability of dying. Guaranteed. I know you don't want to hear it, but it's true. This is why I'm not going very positive. Okay. However, your chance of dying at this instant is less than 1%. That's what's known of as an event frequency. You've got a 100% chance of

this event happening. But the frequency of this event happening at any particular point in time, that's your event frequency. That's what you really care about. The chance of something happening now, not abstracting at any particular point in time. Now event frequency can be derived from historical data but as we all know past performance is no guarantee of future results as in sunny the day before the compromise. Then frequency can be estimated as a factor of how easy it is to come across the vulnerability in your system. What is the probability of somebody acting against us? The Sony that suddenly became elevated when they kicked off a bunch of people. Both can be estimated and more importantly

um you can use the better distribution to get fairly accurate estimates and then you can calibrate and we'll get into how you do all of that and how you use that in a few minutes. Yes. Um, how do you get to the particular vulnerability? Okay. So, what on earth do I mean by calibration? Let's deal with that issue before we deal with any of the other issues such as what is a distriution, how you use it. So, who can tell me on what day was the Declaration of Independence voted on by Congress? Don't use Google. Anyone? How confident are you in your answer?

75%. 66%. Why? Just so happens that it was ratified on July 2nd. You had it 100% right. But you notice he wasn't confident in what he knew even though he knew it. Learning to understand to what degree you don't know what you think you know or how confident are you in that knowledge is what we mean by calibration. The best calibration comes from research. Sitting down and reading your podman reports, your CSI reports, your Verizon reports, your data loss reports. Getting a sense of how frequently these things happen will give you a sense of confidence in your numbers. And when you were working with a per distribution, the beautiful thing is that that confidence can be

expressed numerically and that confidence can be used to manipulate results so that they provide you with better results. Trick is how do you do that? Now per takes the idea that what you can do is establish a mean that is not your average but is a but is almost the same value where you have an optimistic estimate and a pessimistic estimate and you do a calculation to determine the likelihood. And what David Rose proposed you could do is if you replace the value G here in this formula with some number greater than zero, less than some other number. You could use that to slide the per distribution one way or another based upon how confident you were. The

closer you were to four, the closer you were to Yeah, I know that. Obviously, you decided less than four, you decided more than four. But the idea is the more confident you are closer to you want this that number to be. Now there are a number of tools out there that allow you to do um this sort of analysis. There are some great commercial tools out there. Those software used to provide that one basic tool for break. It's now available for about 500 bucks. Risk Amp provides a great tool out there that's about $2300. And of course, there are the beautiful folks over at Open Perk who provide you with a tool for free. The

trouble is with the open perk tool that it doesn't allow you to really play with it. As you'll see in a few minutes, there is of course a tool that pretty much all of us have in our arsenal. It's called Excel. Or if you don't happen to have Excel, you might have um Open Office with their equivalent of Excel and perk is just a formula and you can write it. And yes, the uh spreadsheet that I have has got a per formula built into it. Uh not using any of this fancy stuff that we can use and play with and extrapolate information from if you want to have it. So deriving risk. So you've got this catalog your catalog your

control gap analysis frequency estimation in fact good now it's time to also do a Monte Carlo now I initially time to do the demo at this point about the cause of screen resolution issues I'm saving all the demos Monte Carlo um simulation is a way of estimating reality to show you how successful the closet was used by the Manhattan project in order to estimate the size and the impact of the atomic bomb before they um blew one up and it was found to be exceedingly accurate in my calculation. Uh the idea is you take a set of possible inputs generate them randomly from a probability distribution. Remember beta per you need a uniform distribution with

a large number of inputs and you with this deterministic computation. You aggregate results and you get out of it a pretty damn good metric, a good representation of reality. The idea is that risk analysis does not tell you what reality is allows you to model reality and you can use those models to make realistic decisions. They're a bit more meaningful to business. So, let's step out of analysis. And let's get into spreadsheet. This is a fairly humongous spreadsheet that um came from bits without taken and modified. So if you're familiar with this particular spreadsheet that was distributed by bits, you'll see some interesting differences. You'll also notice that if I were to start demoing this as it is,

scrolling to the right, that nothing's visible. So I'm going to break us here out of the presentation just a little bit. I'm going to change the screen resolution. That's going to make things so that they're less easy to read, but I can show you how this all works. And for those of you who are viewing this expos, my sincere apologies that it won't be so easy to read. I'll give you just a moment here. Do not pay any attention to the man behind

the Hold on. And we have a spreadsheet that is a little easier to read or a little easier to work with, I should say. I want to show you what I've done with this thing and how it works. Now, first things first, you're looking at these numbers and you're saying, "Okay, they're all the same." That's because, well, this is a demo and there's no way in hell I'm putting any real business information into this. I want to show you how it works, not how I've used it. Please, this is not um any analysis that I've done at any company. Uh you can distribute this and use this for your own company. There is no business data

in this spreadsheet. With that out of mind, let's just expand this. Okay, so I've got a nice threat here. Um threat category is access control. it can disrupt business um through an application software failure when security events are not logged the application. Okay, as we all know, when when security events are not logged, that doesn't really have a very strong impact, but it's something that happens in a fairly frequent basis. That's not something that's going to be necessarily something uh just to reuse the word something I happen to like something that uh you will come across externally. This is an internal threat to your organization. Um but it could be on an external service. So first of all, what

kind of skills or resour are needed. This is where I apply my knowledge. How easy it is to take advantage of a system that is not law. Damn easy. So, we'll set that up to okay, 98%. And the maximum skills I need are 99% that actually works. My confidence in these numbers, I'm pretty darn confident in those numbers. So, I'm going to say that 98 to 99% of the hackers out there can take advantage of a system that is not logging. Um, so I put in a factor of four. So I have a point of 98%. Nothing's ever 100%. There's always somebody who can't take advantage of it. Even the simplest things. Now what's happening here? Get

that capability. Take a look at all the way up here in the top left hand corner of the screen is a little um analysis. I've taken my inputs, my minimum, my maximum, my confidence, and my mode. I most likely I am aggregating them together. I have a five very very simple easy to rewrite formula to get out my results 90%. That is my mean. Nothing nothing fancy. But the idea is you do the same thing for control strength. I've already said that. Okay, great. I do not have logging. My control strength is pretty damn lousy. So I'm going to put in it's strength five. The mode is probably a strength of six. The maximum 10%. Okay, I'll get some value

out of this control. My confidence in these numbers again happens to be a four. And so is not recalculated. So let's just force this to recalculate. I just

demo this as well. Excuse me. device does not like at

all. Okay. Now, vulnerability I have taken as a combination of my control strength and of the ease of access to the so what I've done here is I've just rounded those two values up um and compared them on a chart. Let me show you what the chart looks like. And this, by the way, is a variation on the chart that comes with the basil

tool. There we go. Very, very simple chart. Chart that represents the higher the vulnerability and the easier it is to access the vulnerability, the greater the risk. vulnerability having an impact on your organization. So as I compare the two values together, I come up with a number that represents the relationship between those two values and that is what I am showing over here on my main spreadsheet. So this value here rounds up from that table and gives you that it is pretty damn significant that I have this vulnerability based upon the strength of my control and um the the ease of use. The trick is how frequently are you going to come across this? Now, I should

have one of these on my threat categories for both internal and external egress. So, from an internal egress, I would say I'm going to come across this 100% of the time. From an external point of egress, maybe not so much. So, I should have two different categories here. one for internal one for external on exactly the same issue and I will do exactly the same maximum my confidence and come up with numbers based upon how easy it is to encounter this thing. I will also do the same with my the probability of somebody acting against this How likely is it that somebody would go after a system that has this? These are it's a model. I'm providing my expertise.

Remember, I'm getting this from my experience. I'm calibrating. The idea is that all you have frequency that takes a look at how easy it is to encounter something. What is likelihood of them doing something and taking those two numbers and again comparing them on a similar lookup chart. Getting a number that represents to you what is the likelihood that somebody would do something against and be able to do harm to my organization, which is different than how vulnerable I

am, but I'm using exactly the same pattern. Second, the next thing that I do is I take a look at impact. I calculate impact a little differently. calculated other values. First thing is that not every particular threat is going to have an impact on each different impact category. So in my master spreadsheet here I represent the areas where there is no chance of an impact finance where there is a chance of an impact. I've got something here that shows um sorry x let me back that out of places where I do have a chance of impact and they impact and the values come from just a simple look up this value is an x pull from the top of the

spreadsheet and aggregate data. Let's take a look at at what we do to measure magnitude. These numbers came from estimates and just like all the other estimates that I've been working with, I have a minimum impact, I have the most likely impact, the mode, I have the maximum impact, and I have a confidence factor. And just like with everything else, I'm doing a per distriution. In this particular case, I'm using one of the opensource Sorry, one of the um shareware proposals out there instead of writing my own formula to do the same thing I showed you on your pages. This however is an area where this number may not be good enough. So what I probably want to do

here is instead of using my own homegrown formula, I probably want to get it into a Monte Carlo distriution. So let me show you what open part will do to you. There there are two different perk simulations in open part. By the way, open part is free and available for you to download. It's a excel plugin. I'm sorry it doesn't work with the open office version of Excel knowledge. But what it will do for you is a multi simulation. And just like with my own formula, it's going to ask me for a minimum. So I'm going to say my minimum there is the most likely 5,000 and the biggest possibility here is 6,000. Small numbers, but it will

demonstrate now how confident I am in those numbers. I'm actually pulling those numbers out of a hat here. So, I'm not very confident at all. So, I'll put in VLA. It builds out a new worksheet within your environment that shows you the results of the Monte Carlo simulation where it took those estimates that you put in, uses the perk formula to build out um basically values that impact the money. And you can choose to go with the mean or you can choose to go with the median or if it's more valuable you can go with the the Monte Carlo simulation of the minimum or the maximum the sum but probably you want to go with

either med or these are not the numbers that you would distribution once. The idea is that you get more accurate representations of what the analysis is by doing it thousands of times or hundreds of times. In open it only does it about 15 times. There are other tools out there that you can use that do this hundreds if not thousands of times. calculate out what is the likely mean or what is the likely median based upon the data that you provide. If you use these values as the values for your impact, you're having a more likely representation of what impact is the organization. And since impact is a bit more important to your CFO and your CEO

than likelihood is they'll use likelihood as a means to say I'm going to act on this or I'm not going to act on this. It's really a tie breaker between I have two risks with two different impacts. I'll obviously go to the one that's got the higher impact. If I've got two risks with the same impact, what's the likelihood of this one happening versus the likelihood of that happening? I'll spend the money on the one where it's more likely to happen than on the money where it's less likely to happen. Now, I have some decision making happening that fits within the way that posession. And so what I can simply do is just make a reference to this

particular script. Um the cell of my spreadsheet was in my um impact analysis if I chose to or I can use my basic um simple distribution myself. The idea is when these numbers are set, I'm going to pull in from here. I'm going to pull from here. I sum of all these calculations. I'm going to bring it back. And I put those numbers up here at the top of those columns. Just go to the right here a little bit. an estimation out here of magnitude based upon the impact of that threat where it can have impact. So I can see here that I have a threat that will impact my reputation but not my competitive

advantage. So that particular threat is probably going to have less of an impact than other threats to my organization that would impact both competitive advantage and reputation. These are the numbers that I want to work with. I bring back my business managers. I have good metrics that they can use and I also have the actual like of something happen based upon your expertise and the analysis. The next step is you bring it back to the organization. You show them the analysis. You show them the threat vectors. Show them the vulnerabilities. You let them make decisions. You then work on making certain that the appropriate controls are in. You properly manage risks that you now have that are

handled. Tomorrow is not reality. When you discuss this with your business partners and they are partners with you in your enterprise express this as a model, a representation of reality. And the beautiful thing is because you are presented as a model, you're not married. As you get further and further doing this again, again, the confidence factor will increase. get closer to that number four as the number estimates are more accurate. The first time around you do it. If you're choosing a confidence value for especially for anything regarding impact, you're probably being

over 10 times organization. That's the problem with outside consultants. organization. You within your organization have a chance to do this on an iterative basis. And as you do this on a project by project basis, you can reuse the same spreadsheet, the same methodology and aggregate numbers up to a larger, more comprehensive view of the overall risk of the organization. And the beautiful thing is that you don't have to spend money on high paid

consultants. Yes.

Yes.

Yes. And you can certainly approach it that way. But there are some things uh because the asset value in accounting view of world depreciates over time but the value of that asset to business does not. Uh so you probably want to take a step backwards and say okay I don't want to look at I I want to look at those assets too but probably more importantly I want to look at the assets your organization where value does not depreciate over time as an example the uh value of the data within the organization rather than the value of the computers that store the data within the organization. If if you start to have a conversation with the individuals

within the organization regarding the value of the data, not involving assets that store and hold the data, then you're going to have an asset that does not devalue over time, but rather the value of the asset may actually increase over time. That's going to be a more um important discussion to have with the business and you'll have a lot more credibility as a result of it. So don't be afraid to lead them on if they're telling you that the assets are your computer systems and just box you in there because after all information technology happens to computer systems. Turn the tables on them. Start talking about the data within those systems. That's what they really care about.

That's what you really care about. Work together with them to determine the value of those assets. Um a strangely valuable partner in valuation for your organization is uh the insurance people. If your organization has been well structured enough where you have cyber insurance or other insurance to cover uh information security breaches, you've got some very very good asset valuation that's already been done. Leverage it. Make your CFO your friend. Make your CTO your friend. They're more than happy to sit down and have that kind of conversation. But you really have to well I say yes take all the information they give you for asset valuation. Um you want to drive the conversation a little bit because you don't want to get

at assets that depreciate over time. You want to get to the valuation of assets that will grow in value over time. Those are the ones that have value.

Yep.

Absolutely. But both sets of assets are important and both should be uh captured within the Um the value of the vision making machine. What's the impact to you of your organization if it's down for 30 days? Y yes seems

likelihood discuss what is likelihood.

have critical assets. What are the things? Yes. And then when something bad happens to those things

So the vulnerability doesn't seem to the vulnerability perspective is meaningful to you as you need to manage and mitigate the vulnerabilities. Um different vulnerabilities will have different impacts to the same asset. So by calculating out what is the potential impact of a denial of service vulnerability versus the potential impact of a meteorite strike, they're going to have two very very different results. Denial of service will have um percentage of dollars over the period of time of the actual attack. meteorite impact on your production data facility that will have a different um impact which hopefully you have a business continuity plan in place to deal with. But you use that second impact to drive putting in place that business

continuity impact. You have different things to put in place to deal with a deniable service attack based upon the asset valuation of that threat. All

right.

If you take a look at the spreadsheet right up here on the screen, you can see two very dollarations based upon threats to the organization. Both things may happen. So both may have an impact probability of one. You go back to your language. If they happen, could have an impact of $30,000. One of them is going to have an impact of well over a million. Where am I going to spend my money in defending my organization is what this tells me. I'm going to spend my money on that million dollar impact even if there's much more likelihood of that $30,000 impact happen. I may throw some money at preventing that $30,000 asset, but I'm not going to spend it off because after

all, it's only $30,000. That's the I'm not I'm gonna spend a fraction of that $30,000 detected or spent except for the acts all of these scenarios, right? So compromised exposure Now even though the vulnerability itself may lower the net result nonsense net result to the enterprise would be very different if you have a data breach that exposes your email addresses versus a data breach that exposes uh that kitten coordinates in your environment or data breach that exposes uh the company's financials or data breach exposes PII which you're not looking No, you need to. And that's why you break down impact into multiple categories and you look at can this particular vulnerability have an impact on all of these categories and or only

an impact on the subset. You're assuming stop. No, I'm assuming that um for this particular asset, the worst thing that can happen to me are those impact statements. I'm coming up with worst case scenarios. The worst case scenario is not limited to that asset. So I do one of these for all my assets. I do one of these systematically for the entire organization for all assets. And that's the problem with this particular tool. And that's where a professional tool can be much help more helpful to you. Because if I'm filling out a spreadsheet like this for every single asset in my organization, that's a lot of work. Nobody said this was simple. Nobody said this this took 10

minutes to fill out one of these spreadsheets for the one asset. And I only looked at one asset with my organization. It took me a month's worth of work to do it. to do the entire analysis of my organization taking a look at all the controls regarding this asset, their effectiveness regarding this asset, all against all the different threats regarding this asset with all of these impacts for this asset. That took me a calendar month of person hours to calculate what the risk was to the organization of something happening to this asset. Risk analysis is a nontrivial endeavor. If you're going to do this comprehensively for all the assets in the organization, that's going to take a

serious amount of time. You do this for the assets you care about. And you continue to build that catalog of analyzed risks over time, knowing that this needs to be iterative process. You don't do this once. You do this systematically once a year, once a month, once a week. How important is it to you? How dynamic is your environment? If your environment is one where the controls in your organization are changing on a quarterly basis, you need to go and adjust these on a quarterly basis. at least to show you and the organization the impact for tightening your controls on the lessening of risk that suddenly becomes very tangible. We've got about eight minutes before we're thrown out of room. Are

there any other questions?

That would be the next step and I have not done that yet with this one. Right now I've only got to the point where I can have a good meaningful conversation with the business on impact analysis. Yes.

So put in all the answers and come up with the meaning of and then go forward with the aggregate um expertise of your organization. Why choose amongst them? They all have their perspectives. They're all valuable. Leverage them all. Work on the meaning of that and go forward. Probably I hesitate to say, but probably none of those needs, sorry, none of those numbers are calibrated. Probably none of them have thought through how do I know how strong this control is? Have I done the testing? Have I done the analysis of it? What have I just said? Yeah. No. SSL is great. It's wonderful. It's an armor truck running through a bad neighborhood. That's how it is.

Yeah. And he's probably more full of it. The idea is if you put them all in and if you don't show favoritism, it becomes more mean. It has the expertise of your team builds. For instance, you get a better sense of confidence in those numbers. All righty. So, yes. Oh, excellent question. Easy easy to answer. Bits gives you 622 different threats. It's actually half of that because they look at things from both an inside and an external perspective. One of the things Yes, that's why it that's why it took a moment. Uh the beautiful thing is that you can look at them in categories. I put this into table view. Table view is one of

the loveliest things about this version of Excel. So I can say if I want to look at everything. So if I only want to look at um compliance issues, I can go through here, select compliance issues, scroll up to the top. Hang on a second. As I do that, scroll up to the top. And I can only look I can now look at this particular category of threats in isolation from everything else. I can do the same with this kind of vulnerability. I can do the same with this kind of security control. So I have the ability to once I've done the analysis to dive deep into any one of these things. So I've got some swag

here. Is there anybody in the room who even knows what the HTC1s is? yours. And I managed to miss the AV equipment. All right, we've got this has got to be Honeybagger. Honeybadger. This using my card impression here. This is Bside San Francisco. You want it? You got it. Oh, that was close. Now that's all to the side of the room. Sorry, just I've got one more to this side of the room. Who wants the unknown black sweatshirt or black t-shirt? Done. So, the man who raised his hand. Thank you very much. Thank you everybody for coming. It has been a pleasure.

Hey, AV guy. I just realized for the entire talk I didn't use the mic. I hoped that the audio was because I was speaking loudly. Good work. Thank you. Good questions.