Product

← view all posts

The True Calculation of a
Threat = Damage × Likelihood

Ian Roncoroni, Jed CEO

August 6, 2024

SCUBA diving can be dangerous, and cave diving even more so. I have 20 years of experience and all the required training, but still run into issues. I once dropped into a cave and ascended into a beautiful chamber with no access to the surface. I stayed with my guide, monitored my gauges, and followed my training. However, when I tried to leave, I couldn’t equalize the pressure in my ears to descend deep enough to leave.

My options were limited to suffocating there or descending without equalizing (and rupturing my eardrums). Not a great situation, but the choice was clear. I was in the hospital for four days with an ear infection and completely deaf for a week or two, but I did not suffocate.

I still dive (more than ever, actually), but I avoid situations that are likely to result in a similar outcome. I still swim with bull sharks, but I will not go anywhere if I can’t ascend directly. Bull sharks may look scary, but the odds they send me to the hospital are minuscule compared to the odds that I won’t be able to equalize my ears in a cave.

My risk/reward calculations aren’t simple or straightforward. It’s not just the bad outcome I consider but:
  1. How bad that outcome would be
  2. The odds that it will occur

This risk calculation aligns precisely with the key recommendations in Gartner’s, “2024 Strategic Roadmap for Managing Threat Exposure“. Gartner states that security leaders should, “Build exposure assessment scopes based on key business priorities and risks, taking into consideration the potential business impact of a compromise rather than primarily focusing on the severity of the threat alone.”

And that’s precisely what Jed Security does.

1. How Bad Would the Damage Be?

Applying this calculation to your technology infrastructure, you might have an AWS S3 bucket that’s public, but if it contains images served on your website, then “public” is the correct setting. OTOH, if it has PII such as social security numbers, that’s certainly an “Oh $#!+” moment that you’ll want to address immediately.

Likewise, if the S3 bucket once had PII, but happens to be empty at the moment, there’s no urgency.

2. How Likely is That Damage to Occur?

In my experience, people who don’t work in cybersecurity tend to think hackers are sophisticated tech geniuses who “Mission Impossible” style, deploy elaborate schemes to break into systems. They envision an “Ocean’s Eleven” type heist of green streaming code.

Of course, we all know the reality that in the vast majority of cases, attackers are simply opportunists who get lucky when an asset is misconfigured.

And that’s why the other part of the equation is, how easy is this attack to execute, i.e. how likely is it to occur? For example, it’s relatively easy to exploit a dangling JavaScript resource by executing malicious code.

As Gartner writes, “EM [Exposure Management] consists of both exposure assessment and cybersecurity validation.” Gartner continues to explain their definition of validation in the context of CTEM, “CISOs should think of prioritization as a reordering of the exposure management work they have to do, and validation as a filtering of that list based on what attackers would do.”

Only by combining these two data points can you get a true picture of risk. This calculation is vital to true, accurate, effective risk mitigation.

Synergistic Security Functions

I’m fascinated by the idea of synergy – where the whole is greater than the sum of the parts. Applying the concept to people, each one can spark ideas others can build upon, resulting in outcomes more feature-rich and creative than anyone could develop alone (like this blog, for example.)

And discovering all assets, scanning for vulnerabilities, plus calculating attack difficulty and likelihood all lead to the synergy of effective threat mitigation. With a properly executed CTEM program, the efficacy of threat mitigation far exceeds that of multiple, disparate point solutions.

Gartner describes how the various insights of CTEM build on one another, with an effective CTEM process as the synergistic output. “It’s crucial to scope risk in relation to threat exposure, as this is one of the key outputs that will benefit the wider business. To do so, senior leaders must understand the exposure facing the organization, in direct relation to the impact that an exploitation of said exposure would have.”

Reduce the Right Risk at the Right Time

Gartner notes, “Today, discovery and remediation of threat exposures is carried out in silos, these silos remove opportunities to understand the entire risk picture as well as reduce the burden through consolidated remedial work. Using the artificial boundaries associated with network or departmental constructions serves only to inhibit the ability to reduce the right risk at the right time.”

Exactly. As much as we might like to believe we can achieve perfect posture, the realistic objective is to reduce the right risk at the right time.

Jed Security monitors continuously and tells you what those right risks are.

Reduce noise to threats. Reduce threats to action. Sign up to see a demo.

Ian Roncoroni, Jed CEO

August 6, 2024