Cybersecurity practitioners are very familiar with the arrival of new security advisories from sources such as CISA and the NIST National Vulnerability Database (NVD) whenever a new vulnerability is reported (CVE). Each new CVE contains a risk score, Common Vulnerability Scoring System (CVSS) using an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base group represents the intrinsic qualities of a vulnerability that are constant over time and across user environments, the Temporal group reflects the characteristics of a vulnerability that change over time, and the Environmental group represents the characteristics of a vulnerability that are unique to a user's environment. The Base metrics produce a score ranging from 0 to 10:
Rating
CVSS Score
None
0.0
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 10.0
Keep one thought in mind as you prepare for a BoD meeting to talk about cyber risk:
Enterprise decision-making requires analysis of the economics of cyber risk
This article offers guidance on how to calculate Cyber Value at Risk associated with a reported CVE and CVSS score for presentation to a Board of Directors of C-Level Executives. The formula presented here has been developed by the author as a “back of the envelop” method to quickly calculate value at risk associated with a new software vulnerability (CVE). Parties looking for more comprehensive, formal methods to calculate Cyber Value at Risk are advised to review academic materials available online. Â
The formula presented here contains elements that are input to the statistically calculated SAGScore™, a trustworthiness score produced by the SAG-PM C-SCRM risk assessment software solution for Executive Order 14028 implementations. The results of this formula are expressed in US Dollars as Cyber Value at Risk associated with a single software vulnerability, CVE. CISO’s can use this formula to communicate Cyber Value at Risk to BoD members and C-Level Executives to indicate the minimum and maximum business impact expressed as “Value at Risk” dollars. The following inputs are used in this formula:
Parameter
Description
CVSS ratio (CVSS/10)
Parameter VS
CVSS scores range from 0 – 10. The ratio of a CVE CVSS score to its maximum value (10) is used as an input to the formula. For example, a CVE with a CVSS score of 10 would result in a CVSS ratio of (10/10) = 1.
Likelihood (probability ranging from 0 – 1)
Parameter L
This parameter indicates the probability that a particular CVE could represent a threat and risk to a Company. This value is calculated based on the presence and accessibility of software vulnerabilities that may be exploited by an attacking party. A party that has no exposure, i.e., the software that contains the vulnerability is not installed in a digital ecosystem results in a Likelihood score of 0. A party with multiple installations of a vulnerable software package would experience a higher probability of risk. CISO’s calculate this likelihood (probability of a successful attack) value based on “ground truth” about the digital ecosystem, presence of expolitable vulnerabilities and existing defensive capabilities to prevent an attack from succeeding. Â
Minimum Impact Dollars
Parameter MinI
Expressed as a minimum dollar amount resulting from a successful cyber-attack. This amount is typically correlated with the “consequence” of a cyber-attack and may include business impact to revenues and reputation, as well as other costs incurred at a minimum level. CISO’s use their knowledge of the business and cybersecurity defensive measures and capabilities to estimate this value.
Maximum Impact Dollars
Parameter MaxI
Expressed as a dollar amount resulting from a successful cyber-attack that is allowed to expand beyond the initial incursion consequence impact to impacts on the broader enterprise that are achieved by the attacker through lateral movement. CISO’s use their knowledge of the business and cybersecurity defensive measures and capabilities to estimate this value using best practices provided by the Idaho National Lab Consequence-driven Cyber-informed Engineering (CCE). This should include business impact to revenues and reputation as well as other costs incurred, at the minimum level.
Minimum Recovery Dollars
Parameter MinR
Expressed as the minimum estimated dollar amount an organization would incur to recover from a cyber-attack that is contained to the minimum impact (consequence) only. This cost includes product, services and labor costs associated with incident response and recovery.
Maximum Recovery Dollars
Parameter MaxR
Expressed as the maximum estimated dollar amount an organization would incur to recover from a cyber-attack that is allowed to expand across a digital eco-system over an expanse of time, before an incident is detected and contained. This cost includes product, services and labor costs associated with incident response and recovery
The "back of the envelope" formula to calculate Cyber Value at Risk (C-VAR) is shown below:
Minimum C-VAR = Â (VS * L) * (MinI + MinR)
Maximum C-VAR = (VS * L) * (MaxI + MaxR)
Two Use examples are provided below using the Log4j Vulnerability CVE-2021-44228
Use Case 1: A tee-shirt screen printing company with two systems in a digital ecosystem and only 1 system has Log4j installed, and is vulnerable to exploitation:
Min Log4j C-VAR = ((10/10) *0.5) * ($50,000 + $30,000)
Min Log4j C-VAR = $40,000
Max Log4j C-VAR = Â ((10/10) *0.5) * ($100,000 + $60,000)
Max Log4j C-VAR = $80,000
Use Case 2: An aerospace manufacturing company with two hundred systems in a digital ecosystem and 100 systems have Log4j installed, and are vulnerable to exploitation:
Min Log4j C-VAR = ((10/10) *0.5) * ($5,000,000 + $3,000,000)
Min Log4j C-VAR = $4,000,000
Max Log4j C-VAR = ((10/10) *0.5) * ($100,000,000 + $75,000,000)
Max Log4j C-VAR = $87,500,000
This article describes a “back of the envelope” method to calculate the Cyber Value at Risk (C-VAR) when a new software vulnerability is reported by CISA and/or NIST NVD that is used to communicate the business risks from new cyber vulnerabilities to a BoD or C-Level executives. Parties seeking a more formal methodology to calculate Cyber Value at Risk are advised to review this material.
People who are unfamiliar with the factors that go into determining risk should check out this handy little tool from OWASP. This tool is part of the OWASP Risk Rating Methodology.