As humans, we are awful at perceiving risk. We are influenced by media, anecdotal data, and evolutionary biology. Irrational fears lead humans to misperceive actual risks and sub-optimize risk reduction in both the physical and cyber world. To combat this, we need to be aware of our biases and embrace data and science-based approaches to assess and mitigate risk.
- Hi, I'm Steve Grobman, CTO of McAfee, and I'm afraid of snakes. I'm not the only one. About half of Americans are afraid of snakes. I'm also a believer in data, and the data tells us this is an irrational fear. At least in the United States, where only around five people a year die of snake bites. The number of deaths from stinging insects is 20 times that amount. And the number of people who die in auto accidents, a thousand times. So why don't we think twice about getting in a car and driving at 70 miles an hour on the highway, but are petrified when a snake crosses the hiking trail. The answer in this case is evolution. The studies have shown that humans, even small children, are instinctively able to quickly identify snakes. Researchers believe this evolutionary ability allowed humans to survive by avoiding threats in the wild. Our perception of other risks in the physical world are also miscalibrated, not due to biology or evolution, but rather the way that they're portrayed in media and culture. In Texas, where I live, we have a great example of this. tornadoes. We have tornado sirens, tornado shelters. And when a destructive tornado does occur, it makes a top story on the news with graphic images of catastrophic destruction. In reality, very few people die from tornadoes. In 2020, 24 tornadoes killed 76 people in the United States. Seven times at number, 529, died falling off ladders. If only there was a scientific approach we could use to measure risk, to help counteract or bias perceptions. There is. I'd like to introduce you to the micromort. The micromort, or micro probability of death, is a unit of risk that represents a one-in-a-million chance of sudden death. This concept was first introduced by Stanford professor Ronald Howard in 1980. Everything we do has some level of risk. Take driving. Statistically, there's a one in a million chance of dying in an accident when you travel 230 miles by car. Therefore, driving 230 miles exposes you to one micromort. Driving 460 miles exposes you to two, and so on. We can use the micromort to challenge our intuition on what is actually risky and what is not. For example, scuba diving is surprisingly safe and only three micromorts per dive. And skydiving exposes you to only 10 micromorts. I'm talking about parachuting from a plane, not base jumping, which expose you to way more, 430. This also allows us to much better understand how risky some very dangerous activities are. A single attempt to summit Mount Everest, for example, exposes the climber to 38,000 micromorts. Or think of that as the same risk as performing almost 4,000 parachute jumps. What does this have to do with cyber? Many of our perceptions about risk in the cyber world are also miscalibrated, and we need to use the moral equivalent of the micromort in the way we think about cyber risk. Just as we do in the physical world, we need to use science based on data to counteract the influence of social and traditional media and our raw emotions. Organizations worry about all sorts of threats. Mass malware, we see every hour. Spear phishing attacks on critical employees we see every day. And the rare nation-state directed attacks that have the potential to be devastating. One observation is that the frequency of an event is inversely proportional to its impact. We see the exact same thing in nature, whether we're talking about tornadoes, earthquakes, or asteroid impacts. For example, with tornadoes, the Enhanced Fujita Scale goes from zero to five, with five being the most severe, yet 89% are EF1 or lower, and only 11% are two, three, four, or five. The impact of a cyber event has multiple levels of nuance. We need to consider the lethality to impacted organizations independently from the global impact. For example, we see some events that are high impact, even devastating to a single organization but have limited global impact. Sony, Target, Marriott, just to name a few. Other events such as WannaCry and NotPetya were catastrophic to numerous organizations around the world because they spread fast and were indiscriminately destructive. We also need to analyze the different aspects of the damage resulting from a cyber event. For example, a human-operated intrusion with minimal direct impact, such as stealing internal planning documents, still leaves the potential for any number of residual back doors and implants. The indirect cost regaining environmental integrity can be immense. Another area of focus is whether the risk we face is passive or active. What risks are we exposed to by simply operating in a technologically advanced world? And what additional risk do we expose our organizations to as a result of our business decisions? We need to minimize risk from passive threats such as cloud-based productivity apps. We also need to understand the risk-reward benefit when we choose to engage in high-risk areas. Just as a hiker may willingly climb a mountain even though they know it's inherently risky, your business might invest in a new technology, such as the next generation container capability whose threat surface is not yet fully understood if the return is significant. Let's build a model that takes all these factors into consideration. The principle components boil down to these three vectors. The potential lethality of an event to an individual organization. The number of organizations that could be impacted and the likelihood of occurrence. This model is all about risk. But remember, risk is the potential for negative outcome, while an event is the historical record of what has occurred. Past events don't predict future outcomes, but they can provide data to scientifically assess the likelihood of future scenarios. Think of it this way. Just as we don't know exactly what natural disasters will impact us next year, we can prepare for different types of events based on historical frequencies. Similarly, we don't know exactly what type of cyber events will occur in the future, but we can look at frequencies of different scenarios along the vectors we discussed to understand how to prepare our defenses. So how does what we should worry about align with what we do worry about? To answer this, we analyze traditional and social media along with the web activity of McAfee sites related to campaigns and threats. We found that many of the high-profile targeted attacks that received much attention were carried out against one organization. Memorable examples include the DNC hack, Equifax, Ashley Madison and OPM. Should we focus this much attention on high-profile, single organization incidents? Yes and no. Clearly some of these attacks are newsworthy because they relate to national security, cyber impact to elections, or the impact to the organization's customers. Additionally, from a defender's perspective, how a lethal targeted attack occurs is important to understand so that we know how to prepare for a custom human-operated attack. But, we need to be careful not to overemphasize the exact playbook that is executed in these scenarios. Yes, it's important to ensure that you're not running a vulnerable version of Apache Struts on your external facing web servers, but it's as important to ensure that no external vulnerabilities exist that could lead to similar exploitation. Conversely, some campaigns such as TrickBot get little media coverage, but organizations need to pay greater attention to them. They act as the catalyst for secondary high-attack scenarios. For example, a human-operated ransomware attack engineered to hold the most valuable asset for ransom. TrickBot changes its implementation frequently and impacts an extraordinarily large number of organizations. Why does SolarWinds get so much more attention when they both enable human-operated secondary attacks? Media coverage can inform us about emerging global cyber events, but we need a more science-based approach to optimize our defenses. We need to comprehensively evaluate all events that impact organizations. If we simplify our three vector model by dropping frequency, we can examine the relationship between impact and scale. A starting point is to look at the high-profile events that we've seen over the last few years in combination with the cyber threats we see every day. We can then map their impact to the number of organizations affected. Let's break things into three simple elements we've dealt with for decades. Targeted attacks that affect a single organization, indiscriminate malware such as password stealers and ransomware, and nuisance threats, such as PUPs and adware. One of the things that stands out is the inverse relationship between impact and breadth. But in the last few years, we've also seen the sophistication of attacks increase, which adds new elements to our chart. Supply chain attacks. Human-operated ransomware. And one of my favorites, the mega-worms. In this last case, this is not a new innovation. We've dealt with mass-spreading worms since the '90s. The ability for an attacker to use a wormable vulnerability to convert victims into attackers, remains one of the most powerful adversarial innovations of all time. These additional elements have the same relationship where impact and breadth are inversely correlated, but we can see the slope has flattened. Innovation has provided adversaries with greater levels of efficiency to deliver lethality to their victims. What do we do about it? How do we defend our organizations? Unfortunately, there's not a single set of actions or solutions that cover all of these areas. While it's critical to focus on the top left and not become the victim of a targeted attack, we also have to ensure that critical data files aren't stolen by indiscriminate malware, or that productivity doesn't grind to a halt due to a deluge of nuisance threats. We need good cyber hygiene along with user education to prevent everyday threats, good threat and artificial intelligence for indiscriminate and zero-day malware. And when there's a human attacker on the other side, we need a combination of technology and cyber operators to defeat the adversary because no technology on its own can outsmart or outplay an advanced attacker. But we shouldn't forget that these are overlapping. For example, even in an advanced attack scenario driven by a human actor, good cyber hygiene such as a well-patched environment will make it harder to find exploitable vulnerabilities. And good threat and artificial intelligence limits the attack tools at their disposal. We have limited budgets and our cyber professionals can't do everything. So it's critical that we understand and ensure that the investments we do make have the strongest benefit as compared to the risk that they're mitigating. Here's the bottom line. We can't defend our organizations by acting on gut instinct. Just as is counterintuitive that in the physical world, an investment in $6 anti-slip bathtub stickers provides a higher return on risk mitigation than a $4,000 tornado shelter. Implementing multifactor authentication likely reduces more risk than mandating third-party code audits in an attempt to address supply chain attacks. My call to action for you is this, let's make the best cyber defense decisions possible. Yes, watch the news and monitor your Twitter feed, but be hyper-conscious to counterbalance natural instincts and reactions driven by media and hype. Ensure that every trade-off and decision you make to defend your organization is based on data and objectivity.
Risk Management & Governance Business Perspectives
cloud security cyber warfare & cyber weapons hackers & threats risk management risk vulnerability assessment
Share With Your Community