Former NSA and CIA director recommends managing consequences instead of vulnerabilities

Michael Hayden believes managing vulnerabilities is untenable and consequence management using the Risk Equation is preferable. Read about the equation's components.

Image: iStock

When it comes to information security, vulnerability management (i.e., stopping the bad guys from gaining access) has been less than successful. To put a point on it, Fortune's Robert Hackett quotes Michael Hayden, former director of the NSA and CIA, and currently a principal at the Chertoff Group, as saying at a recent computer security conference, "They're going to get in. Get over it."

After telling the attendees at the computer security conference to "get over it," former Director Hayden pulled up the following slide:

Risk = threat x vulnerability x consequence

Hackett writes that Hayden then proceeded to explain why managing vulnerabilities is untenable, and the focus should instead be on consequence management using the above Risk Equation.

SEE: The 15 most frightening data breaches

What is The Risk Equation?

The Risk Equation presented by Hayden is not new; The International Charter started championing this approach in early 2000. The Risk Equation concept has flourished in other industries, in particular, emergency management and nuclear safety. The following diagram depicts a successful risk assessment process used by FEMA.

Image: FEMA

In this International Charter post, Dr. Peter Tippett, a well-known security expert, explains how the Risk Equation fits into IT. Tippett starts by defining the terms used in the formula.

Threats are defined as statements of an intention to inflict pain, injury, damage, or other hostile action. Tippett mentions that not all threats are acted upon or result in damage. That means the threat variable could equal zero.

Vulnerability is the likelihood of success by a particular threat category. Tippett cautions that this variable is not about gauging the success of an attack against an individual computer. "We are concerned about vulnerabilities at an organizational level, say 1,000 PCs and 50 servers configured and networked in a particular way," explains Tippett, "and vulnerabilities have to be quantified in terms of a probability of success, expressed as a percent likelihood."

Cost [consequence] refers to the impact of a particular threat experienced by a vulnerable target. Tippett divides costs into the following:

  • Hard-dollar costs are measured in terms of real damage to hardware or software, as well as quantifiable IT staff time, and resources spent repairing the damage.
  • Semi-hard costs include lost business or transaction time during a period of downtime.
  • Soft costs include lost end-user productivity, public-relations damage control, decreased user or public confidence, and lost business opportunities.

Risk is the key

The Risk Equation focuses all the attention on risk. In real life, that means threats, vulnerabilities, and consequences/costs are only important in that they are components in determining risk. Those inclined towards math will notice something interesting about this equation — when any one of the factors (threats, vulnerabilities, or consequences/costs) is zero or nonexistent, there is no risk.

Tippett adds, "By drilling down into each component, you'll often conclude that there's no risk — or at least no imminent risk — because at least one component of risk is zero or near zero."

To determine a value for each of the equation variables, Tippet suggests assigning weight to a series of questions that apply to each component. For example, questions for threat rate might include:

  • What tools, knowledge, and access are required to make it a threat?
  • What human motivation is necessary?
  • Who in your company have all the ingredients (tools, knowledge, access, motivation) to exploit the vulnerability?

Take the first step

Addressing vulnerabilities is the first step, advises Tippett. It is where IT departments have the best opportunity to correct issues.

"There are always many places where you can at least partially reduce vulnerabilities, and do so easily and inexpensively," writes Tippett. "We call these partial solutions synergistic controls. They are overlooked by almost everyone, but are exceedingly useful, especially when used together with other synergistic controls."

SEE: Defending the last missing pixels: Phil Zimmermann speaks out on encryption, privacy, and avoiding a surveillance state

Not a cure-all

To be fair, there are those who oppose solutions based solely on the Risk Equation. Louis Anthony Tony Cox in his ResearchGate article identifies the use of probabilities instead of modeling as a potential limitation of the Risk Equation, adding, "Trying to directly assess probabilities for the actions of intelligent antagonists instead of modeling how they adaptively pursue their goals in light of available information and experience can produce ambiguous or mistaken risk estimates."

That said, the Risk Equation has been around many years helping reduce uncertainty. If it can offer anything in the way of risk reduction, it seems like a useful tool.

Also see

About Michael Kassner

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks

Free Newsletters, In your Inbox