Threat Intelligence, Meet Defense Intelligence
The relationship between cybersecurity and cyber risk is subtle and nuanced. Cybersecurity is the label placed on activities whose focus is protecting information assets and network operations from compromise. The pursuit of enhanced cybersecurity is ongoing and fluid, but it is advanced by real, observable activities that can be verified and validated. The activities are mostly internal to the company and very much within management’s control.
The overarching goal of cybersecurity is to reduce cyber risk. This risk can be defined as the likelihood of a breach and the probable impact on customers or the company. While cybersecurity measures are deterministic, cyber risk is probabilistic. It has no single point of origin (internal or external to the firm), but instead emerges from the interaction of people, processes, and technologies. The extent to which managers can control the security of those interactions determines how well they can reduce cyber risk.
One popular method of estimating cyber risk has been to focus on external threats. By using externally available data to understand the threat landscape in intimate detail, or so the logic goes, an organization will know what to defend against. At first this seems intuitive, but when the overwhelming magnitude and variety of threats are considered, it quickly breaks down.
According to Verizon’s 2015 Data Breach Investigations Report, global threat intelligence providers report on over 500,000 malicious websites – and that list of websites turns over every day. To suggest that firms can optimize their perimeter defenses against 500,000 new threats every day is unreasonable. This fact is an uncomfortable reality for those who’ve based their risk ratings on externally available data.
The most straightforward way to calculate cyber risk is to multiply the likelihood of a breach event by its probable impact. With proper estimates of likelihood and impact, one can create a reasonably reliable estimate of the risk that a company or its customers will sustain damages. These damages represent the liability, which in turn heavily influence the expected cost of carrying cyber risk insurance.
Now consider that both components of risk – likelihood and impact – can be easily estimated through an understanding of a company’s ability to identify, protect, detect, respond, and recover from a security event. These 5 activities represent the core of the NIST Cybersecurity Framework, widely regarded as the gold standard for gauging cyber breach readiness. By using this standard to identify assets at risk, then protecting those assets with reasonable defenses that allow for early detection of an incident, a company will be more able to respond to a cyber event and capable of recovering as quickly as possible. None of these activities gains in any meaningful way from an exhaustive study of external threats; they advance through strict attention to measuring and improving internal controls around people, process, and technology.
A risk-based approach to cybersecurity prioritizes defense intelligence over threat intelligence. The threat of a cyber attack does not gain in magnitude on its own – it only does so when it encounters an attack surface unprepared to detect, respond, and recover. Managers who seek assurance of their firms’ cyber attack readiness will be best equipped to weather a storm if they continually assess and enhance the core values of defense intelligence.