Home Computer Science Securing Systems Applied Security Architecture and Threat Models

# Real-World Calculation

For the purposes of architecture assessment for security, risk may be thought of as: Credible Attack Vector * Impact = Risk Rating

where

Credible Attack Vector (CAV) = 0 < CAV > 1

Impact = An ordinal that lies within a predetermined range such that 0 < Impact > Predetermined limit (Example: 0 < Impact > 500)3 [1]

CAV as a starting point for your understanding and your organization’s methodology, if it helps to get a handle on this thorny problem.

If we can consistently compute CAV and also rate Impact within a chosen scale, their multiplication will result in a risk rating. This is precisely how the Just Good Enough Risk Rating (JGERR) computes risk. The rating will always be some ratio of 500. JGERR users must choose what portion of 500 will be low, what the medium risk range will cover (presumably, centered on 250?), and the remainder will be high. Or, as we did at Cisco Systems, Inc., the range might be divided up into five buckets: low, medium-low, medium, medium-high, and high. Depending upon the needs of the organization, the buckets need not be symmetrical. Greater emphasis might be placed on higher risk by skewing towards high risk through expansion of the high bucket. Simply start the high classification from a lower number (say, “300”). Or an organization with a more risk-tolerant posture might decide to expand low or medium at the expense of high. Skewing around a particular bucket guarantees that the security needs of the organization are reflected within the rating system’s buckets.

We will come back to the terms making up any similar calculation at a later point. First, let’s define what risk means in the context of computer security.

As in the entire assessment process, there is significant craft and art involved in risk rating. Because of this, a key tool will be the assessor’s mind. Each of us unique human beings is blessed (or cursed) with her or his own risk tolerance. Effectively rating risk can only be done when the assessor understands his or her personal risk tolerance.

Effectively managing information risk and security, without hindering the organization’s ability to move quickly, will be key to business survival.4

• [1] do not claim that guessing at or even calculating in some manner the credibleattack vector (CAV) will calculate a risk probability. It’s merely one of any number ofrisk rating systems. The following explanation is one approach to risk that rates a collection of dependent conditions that must be taken together as a whole. One cannot sim-plistically grab a vulnerability and assume the other factors. The following is one way todecompose the elements of probability, an approach to impact that has been used overhundreds, perhaps even more than a thousand risk assessments over a number of years.It is certainly not the only way, nor the “True Way.” Credible attack vector is presentedas an example for a cyber-risk calculation rather than a recipe to follow precisely. The point of describing this one approach is for you to understand the complexityof computer risk, especially when the risk ensues from the activities of human attackers. In order to assess computer systems, one must have a reasonable understanding of thecomponent attributes of risk and one must be facile in applying that risk understandingto real-world attackers and actual vulnerabilities within real computer systems, where asuccessful attack is likely to cause some harm. Credible attack vector rating is a simpleand proven method to account for the many connected and dependent factors that,taken together in some measure, make up the probability calculation for cyber risk. Use

 Related topics