Part 1, written by:
Simone Curzi, Principal Consultant, Microsoft
John Linford, Security Portfolio Forum Director, The Open Group
Dan Riley, Vice President & Distinguished Engineer, Data Science, Kyndryl
Ken St. Cyr, Sr. Cybersecurity Architect, Microsoft
Abstract:
For most, Security is a cost. Therefore, it is important to get just the right amount of it, and no more. But how do you decide when you have enough Security, and what do you do to get it? That’s an entirely different matter. This is the first post of a series on how to Improve the Return on your Security Investment with Threat Modeling and Open FAIR risk analysis
Body:
We live in a complex, interconnected world. It continuously provides us new opportunities and – with them – new challenges. We are all familiar with terms like “internet”, “social media”, and “IoT”, and we are expanding our vocabulary with “generative AI”, “quantum”, and “metaverse”. Alongside those terms, we have continued to become more acquainted with less enjoyable topics like “security” and “privacy”.
Security is perceived as a cost of doing business. If you do not do it, you will be compromised, and you will face significant financial loss, along with damage to your reputation. Therefore, you must simply do whatever is required to secure your solution. However, this is not likely to be a cost-effective approach.
So, the question is: how much security is enough?
Security controls are not free. Each one of them has implementation and operational costs. As you implement them, you get diminishing returns, because each control you implement reduces the residual risk. At a certain point, you will get a residual risk that is lower than the cost of the next control. This is when you should stop adding more controls, because the cost would exceed the benefit you would receive.
These considerations have the potential to revolutionize how we secure our assets going forward. They imply that security may become another tool that’s available to the business to control the economy of their solutions. We can move from the current reality, where organizations blindly invest their resources into recommendations and compliance regulations without evaluating the expected benefits, to a new reality where they critically think about what the organization needs in order to have enough security at the right cost. In this new reality, organizations no longer fragment and waste their time, attention, and money by implementing every security tool available. Instead, they compare the cost of implementing and operating security controls against the estimated loss incurred by malicious actors when they’re attacked.
To achieve this goal, we have identified two different tools: Threat modeling and Open FAIR risk analysis
Threat modeling is a process that helps you understand the security threats to a specific system, determine the potential loss from those threats, and establish appropriate mitigations. The Threat Modeling Manifesto makes a compelling case:
When you perform threat modeling, you begin to recognize what can go wrong in a system. It also allows you to pinpoint design and implementation issues that require mitigation, whether it is early in or throughout the lifetime of the system. The output of the threat model, which are known as threats, informs decisions that you might make in subsequent design, development, testing, and post-deployment phases.
In other words, threat modeling allows you to understand how a malicious actor may choose to attack your system and identify what controls you can implement to prevent, detect, and respond to those attacks.
Threat modeling ultimately results in a list of controls and explains why you should adopt them. However, it does not help you understand what, if any, action should be taken in a larger business context. Your solution might already be robust enough that the potential loss from an attack does not justify further investment for implementing incremental security controls. But how do you know for sure? This is where Open FAIR risk analysis comes to the rescue.
The Open FAIR™ Body of Knowledge provides a consistent, industry-tested taxonomy and approach to quantifying potential loss due to cybersecurity incidents. Open FAIR™ risk analyses focus on identifying and describing Loss Scenarios – the series of events leading from a bad actor (Threat Agent) contacting an asset, working to compromise it, and causing the organization to experience an observable, quantifiable loss as a result of the compromise (Primary Loss), as well as potentially leading to additional losses as a result of “fallout” (Secondary Loss).
Figure 1: Simulated Results of an Open FAIR Risk Analysis in the Open FAIR™ Risk Analysis Spreadsheet Tool
By leveraging the Open FAIR process to analyze the impact of different control combinations, as recommended by threat modeling, the organization can effectively determine which set of controls is most effective at reducing risk to the system. More importantly, the organization can decide the optimal set of controls for a given system by considering the overall reduction in risk, along with the cost to implement them. This means that the organization can now make a business decision based on objective data that’s relevant to the business.
This blog post is the first of a series of four that will describe the first project to link threat modeling with Open FAIR risk analysis. This initiative is hosted by The Open Group Security Forum and led by security experts from Microsoft and Kyndryl, as well as other Security Forum Members. The second post will show you how you can combine threat modeling with Open FAIR risk analysis to evaluate the current state of your system. In the third post, we’ll discuss how you can factor in the controls to estimate their effect and do some cost optimization. This will not only help address the question “How much security is enough?”, but also the more important question – “What should we do?” The fourth post will introduce considerations for using these concepts to define a KPI for evaluating how well your development teams are securing the solutions they are building.
- Post 2: Evaluating the Current Risk
- Post 3: Estimating the Impact of Mitigations
- Post 4: Threat Modeling and Open FAIR risk analysis as a KPI for Agile Projects
The Security Forum’s Using Quantitative Analysis in System Threat Modeling Project is actively seeking additional participants to help develop and refine these ideas. All Silver and Academic Members of the Security Forum as well as all Gold and Platinum Members of The Open Group are entitled and welcome to participate. To learn more about joining the project or The Open Group Security Forum, please contact Forum Director John Linford at j.linford@opengroup.org.
