Risk forecasting: Cloudy with a chance of data breach

We’ve covered three of the five strategies for pursuing our first principle: passive preventive controls, threat-informed controls, and resilience. Now we move to the next strategy: risk forecasting.

Risk forecasting is the process of predicting the chance that a cyber attack will cause a material impact to your business. It’s not about guessing. It uses math and logic to make better decisions over time.

In "Cybersecurity First Principles," Rick Howard outlines how to do this in Chapter 6. This article introduces those concepts. This is ONLY an introduction; future articles will cover techniques in deeper detail.

Risk forecasting matters to IT professionals because it informs how you manage your precious time and budget.

When you handle both IT and cybersecurity, you have too much to do. You face a constant stream of alerts, patch releases, and vendor warnings. You cannot fix every vulnerability on your network. Risk forecasting gives you a math-based system to decide what to fix first.

Instead of reacting to scary news headlines or guessing which system to patch, you use probability. If a software vulnerability has only a 2% chance of causing a material impact to your business, you can safely put it at the bottom of your list. If the risk of having Microsoft user passwords phished has a 40% chance of leading to a data breach, you identify and implement controls to mitigate it today and reduce that probability. This method stops the endless game of whack-a-mole.

NOTE: Given your time constraints, you will likely not be able to perform in-depth forecasting for every risk. Start with what you think are likely your 3-5 top risks, then validate those are your top risks with forecasting their probabilities.

Forecasting also changes how you talk to leadership. Business leaders usually do not understand technical jargon like "zero-day exploit" or "SQL injection." They understand money, probability, and business risk.

Risk forecasting translates your technical problems into the language of business. Instead of telling your boss that a security fix that hasn’t been deployed yet “might” lead to a cyber event, you use your forecast. You say, "There is a 25% chance this flaw will lead to a data breach, but deploying the security update will drop that chance of a data breach to 2%." This approach gives you a defensible reason for your security strategy and makes it much easier to get the budget you need. Just like grade school, be ready to show your work!

Many people think predicting the future is impossible. Research shows people can learn to predict better. Philip Tetlock and Dan Gardner call this "superforecasting."

Superforecasters don’t use vague phrases like "high risk" or "maybe." They use exact numbers, like a 23% chance of a data breach. They measure their accuracy over time using a math formula called the Brier score. A Brier score grades how close a forecast is to the actual outcome.

To get better scores, superforecasters use "dragonfly eyes." A dragonfly has thousands of lenses in its eyes, so superforecasters look at a problem from many different views to find the most accurate answer.

Sometimes you lack enough data to make an exact prediction. Enrico Fermi was a physicist who solved big problems by breaking them into smaller parts. These are called Fermi estimates.

For example, to guess how many piano tuners live in Chicago, you estimate the city's population and the percentage of people who own pianos. Then you calculate how often those pianos need tuning. You can (and should) perform research to refine these estimates. You use the same method to estimate how often a cyber attack might hit your company.

You also have to watch out for black swans. A black swan is a rare event that causes massive damage. You cannot predict a black swan, but you can build your system to survive one.

Risk forecasting also relies on Bayes rule. This is a math theorem about updating your prediction when you receive new information. You start with a basic guess, called a prior. When you find new data, you update that guess to reflect reality.

Let's look at how this works using Microsoft's fictional company, Contoso. Contoso needs to know the probability of a material ransomware event happening this year. You find this answer by looking at the problem from two directions: outside-in and inside-out.

The outside-in analysis looks at the rest of the world (or country). An example reference resource is the Verizon Data Breach Investigation Report (DBIR). You search for data on companies similar to Contoso. You look for businesses in the exact same industry and of the same size. Then you count how many of them had a major ransomware event in the past year. If 5 out of 100 similar companies had a breach, your outside-in estimate is 5%. This becomes your starting point.

The inside-out analysis looks at Contoso itself. You examine the company's past security incidents and test the current controls. If Contoso has strong defenses against ransomware tactics and no recent breaches, you use Bayes rule to adjust your starting number. That 5% estimate might drop to 2%. If you have known flaws or control gaps, the estimate might jump to 12%.

You continuously repeat this process. Every time you run a security test or read a new threat report, you update your forecast. You never reach 100% certainty, but your numbers get closer to the truth with every update.

Thanks for reading and stay secure,

Aaron