Cyber security guidelines are being released or updated in the financial sector in Malaysia (RMiT), Singapore (TRMG) and Australia (CPG-234) amongst other countries in Asia Pacific. Interesting enough all of these guidelines are asking for threat modelling to be conducted within financial institutes. A number of organisations that I interact with are questioning the need for this requirement which I will explain in this paper.
To understand the link between threat modelling and risk management, you need to look at the formula for calculating risk which is risk = probability x impact. However, to calculate probability, one must understand the vulnerability affecting the asset in question as well as the threats that can impact that asset. Vulnerabilities are basically gaps in cyber security that an adversary can exploit to cause harm to the asset in question. However, in order for the vulnerability to be exploited, there has to be a threat present.
As such, to work out the probability of occurrence, one needs to know the threats that may affect the asset. This is where threat modelling and threat intelligence comes into play. Threat intelligence will give you information on who is targeting you and how. Armed with this knowledge, an organisation can then look at the controls in place to thwart any potential attack as well as any further investments needed to boost defences. The knowledge of the exposure based on the controls gaps against the threats will provide a much more accurate picture of the probability of occurrence of an adverse event affecting an asset. And remember, most organisations will choose not to completely eliminate the risk, but mitigate the risk to a level that is within the risk appetite of the organisation. Again, being able to accurately understand the threat and vulnerabilities is critical to understand the risk, manage this risk against the organisation’s risk appetite and also then be able to quantify the level of cyber insurance needed to transfer the residual risk.
Pretty much everyone runs exercises to understand vulnerabilities. This ranges from regular automated vulnerability scans to assessments against standards such as NIST, ISO 27000 series, etc. This is important, but the issue that organisations run into is a laundry list of vulnerabilities requiring many millions of dollars to resolve and nothing really moves as a result of this large investment needed both in terms of time and money.
Injecting threat intelligence and threat modelling into the mix allows an organisation to understand who is targeting them and how. With this knowledge and intelligence, an organisation can then look at its vulnerabilities and prioritise the ones that are being targeted by our adversaries in order to shut them down. With this simple approach, you are not just prioritising and addressing the most critical vulnerabilities, but you are creating a case for the investment. It will be a lot easier to have a conversation with the Executives and Board around why you need the security investment to address a vulnerability when you know that’s what the adversary is targeting as opposed to saying we need $1M to buy X because the consultant said so!
And the above point is a good segue into how threat modelling should be run in an organisation. Threat modelling is not an exercise that should be run by the Cyber Security Department in isolation. It should be run in conjunction with Risk as what threat modelling reveals is a key part of the risk calculation formula as explained earlier.
Further, as the threat modelling exercise is run within the organisation and the threats are understood, controls are mapped against the threats and gaps are determined, the Board and Execs must be made aware of the results of this exercise as this will document the level of cyber risk the organisation is exposed to. This is the information that the Board and Execs will need to approve any funding required for controls improvement. This level of reporting should be done on a quarterly basis with clear progress being shown on risk reduction and controls improvement. With this simple exercise you are answering the following questions that every Board member and Exec is asking:
- What are my cyber security threats and how do we stack up against them?
- Where is the money that we are spending on cyber security going and is it being invested wisely?
As discussed above, threat modelling is a key part of risk management. Not only does it allow an organisation to truly understand its cyber security risks, it is a very useful tool in keeping the Board and Execs informed on the real cyber security risks facing the organisation, how we stack up against these risks and the rationale behind cyber security expenditure.