In this post I am going to explore the relationship between Cyber risks, threats and controls to show how we can use the performance of those controls to provide a rating of Cyber threat exposure that will enable us to see how effective our controls are in mitigating threats.

I think we can all relate to the idea of building a house close to a riverbank. We envisage sunny days lazing on the lawn and idyllic views. However, there is inevitably a potential risk that the property could be periodically flooded, the house damaged and our possessions ruined or destroyed. One can take a number of approaches to managing this risk – a shrug of the shoulders and accept that every so often we are going to have to pay out for new carpets, furniture and re-decoration; or build some defences to mitigate the effect of a potential flood – we could install a set of sandbags around the property, build a raised ground floor, build the house on stilts, etc. It may also be possible to buy varying levels of insurance to pay-out in the event that the flood happens, if you could afford the premiums and that is if anyone will insure you!

This simple example highlights the relationships between the risk of flooding, the threat of the river breaching its bank and the some of the measures we can adopt to mitigate the risk. For every risk we can map the underlying threats such as a huge storm, that can result in that risk of the river breaching its banks being realised. We can then determine the protection measures that can be put into place to address the likelihood of the threat happening and reduce the potential impact should it occur.

If we now consider a common Cyber threat such as Ransomware then we can see that Patching, AV Malware and Backup & Restore as example controls would be highly effective in mitigating this specific threat and therefore highly relevant. But the same controls would be less effective or relevant to mitigating Impersonation threats, such as Phishing or Vishing. If we did an exhaustive exercise and identified all the controls that would be effective in mitigating the threat of Ransomware, then we would see that some controls had a greater impact than others – i.e., some controls are more effective or relevant to mitigating specific threats.

Using this approach, we can build up a matrix of all Cyber threats, the controls that are effective in mitigating those threats and a Relevance Factor – i.e., how effective each control is in that mitigation. We can now use this Threat-Control Matrix in conjunction with how our Cybersecurity controls are performing to show us a quantifiable rating of our Cyber threat exposures.

By using this approach with the building of our house by the river we can assess and rate all the measures we could take to mitigate the threat and repercussions of a breach and deploy only those which will have the greatest effect on that mitigation, rather than waste money on every conceivable protection measure in the hope that one of them will work, or find we have not deployed the one that actually would have.

Shouldn’t we apply the same criteria to our Cyber Controls too?