What do cybersecurity pros mean when they talk about a “high vulnerability” or “high risk?” – if you’ve ever scratched your head listening to someone present a cybersecurity risk assessment, you’re not alone.
Many of us have these questions about risk: What does a high vulnerability mean to a business? How do we rank cybersecurity risks and other business risks? Is “high” risk tied to a million dollars or some other dollar amount?
Some cybersecurity experts might say you should try to fix all of the vulnerabilities in your systems – but others suggest more moderate or “triaged” approaches. Maybe they feel that you’re safe with vulnerabilities that don’t affect mission-critical data, or network segments that are isolated from the core network.
The lack of consensus around cybersecurity risk assessment norms (and what companies should and shouldn’t do) doesn’t allow for full transparency. It doesn’t help in getting alignment across the organization.
Figure 1: Traditional cybersecurity risk matrix
The traditional “likelihood vs. impact” risk matrix is flawed.
First, it leads to frustrating interactions between the security team and senior management. “High” means different things to different people. Second, it can be horribly misleading.
Imagine your organization defines “medium likelihood” as a vulnerability with a likelihood of 10% to 33%. Additionally, your convention for a “medium impact” issue is $100,000 to $1 million. That is a big range of outcomes! In the example of a “medium likelihood, medium impact” issue, the expected value ranges from $10,000 to $333,000. Would your organization handle a vulnerability with a $10,000 expected value the same as one with a $333,000 expected value?
Most organizations would have different responses for risks, with these wildly varying results from their cybersecurity risk assessment.
The lack of precision is even worse when you think about the “high” impact range. High impact might range from $1 million to the total value of your company (or more)!
To prioritize when two systems have a high vulnerability, you have to measure the specific value of the asset. Otherwise, you will treat a vulnerability with a $1 million consequence the same way as one with a $1 billion consequence.
Normal scales such as “High, Medium, Low” lead to compression of critical pieces of information. This compression can have disastrous results for an organization’s information security program. There has to be a better way…