Senior decision-makers come together to connect around strategies and business trends affecting utilities.

Post

Translating Software Vulnerabilities into Cyber Value at Risk Dollars for BoD Presentations

image credit: Unsplash
Richard Brooks's picture
Co-Founder and Lead Software Engineer Reliable Energy Analytics LLC

Inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software and SAGScore™...

  • Member since 2018
  • 1,480 items added with 629,532 views
  • Mar 22, 2022
  • 362 views

Cybersecurity practitioners are very familiar with the arrival of new security advisories from sources such as CISA and the NIST National Vulnerability Database (NVD) whenever a new vulnerability is reported (CVE). Each new CVE contains a risk score, Common Vulnerability Scoring System (CVSS) using an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base group represents the intrinsic qualities of a vulnerability that are constant over time and across user environments, the Temporal group reflects the characteristics of a vulnerability that change over time, and the Environmental group represents the characteristics of a vulnerability that are unique to a user's environment. The Base metrics produce a score ranging from 0 to 10:

Rating

CVSS Score

None

0.0

Low

0.1 - 3.9

Medium

4.0 - 6.9

High

7.0 - 8.9

Critical

9.0 - 10.0

Keep one thought in mind as you prepare for a BoD meeting to talk about cyber risk:

Enterprise decision-making requires analysis of the economics of cyber risk

This article offers guidance on how to calculate Cyber Value at Risk associated with a reported CVE and CVSS score for presentation to a Board of Directors of C-Level Executives. The formula presented here has been developed by the author as a “back of the envelop” method to quickly calculate value at risk associated with a new software vulnerability (CVE). Parties looking for more comprehensive, formal methods to calculate Cyber Value at Risk are advised to review academic materials available online.  

The formula presented here contains elements that are input to the statistically calculated SAGScore™, a trustworthiness score produced by the SAG-PM C-SCRM risk assessment software solution for Executive Order 14028 implementations. The results of this formula are expressed in US Dollars as Cyber Value at Risk associated with a single software vulnerability, CVE. CISO’s can use this formula to communicate Cyber Value at Risk to BoD members and C-Level Executives to indicate the minimum and maximum business impact expressed as “Value at Risk” dollars. The following inputs are used in this formula:

Parameter

Description

CVSS ratio (CVSS/10)

Parameter VS

CVSS scores range from 0 – 10. The ratio of a CVE CVSS score to its maximum value (10) is used as an input to the formula. For example, a CVE with a CVSS score of 10 would result in a CVSS ratio of (10/10) = 1.

Likelihood (probability ranging from 0 – 1)

Parameter L

This parameter indicates the probability that a particular CVE could represent a threat and risk to a Company. This value is calculated based on the presence and accessibility of software vulnerabilities that may be exploited by an attacking party. A party that has no exposure, i.e., the software that contains the vulnerability is not installed in a digital ecosystem results in a Likelihood score of 0. A party with multiple installations of a vulnerable software package would experience a higher probability of risk. CISO’s calculate this likelihood (probability of a successful attack) value based on “ground truth” about the digital ecosystem, presence of expolitable vulnerabilities and existing defensive capabilities to prevent an attack from succeeding.  

Minimum Impact Dollars

Parameter MinI

Expressed as a minimum dollar amount resulting from a successful cyber-attack. This amount is typically correlated with the “consequence” of a cyber-attack and may include business impact to revenues and reputation, as well as other costs incurred at a minimum level. CISO’s use their knowledge of the business and cybersecurity defensive measures and capabilities to estimate this value.

Maximum Impact Dollars

Parameter MaxI

Expressed as a dollar amount resulting from a successful cyber-attack that is allowed to expand beyond the initial incursion consequence impact to impacts on the broader enterprise that are achieved by the attacker through lateral movement. CISO’s use their knowledge of the business and cybersecurity defensive measures and capabilities to estimate this value using best practices provided by the Idaho National Lab Consequence-driven Cyber-informed Engineering (CCE). This should include business impact to revenues and reputation as well as other costs incurred, at the minimum level.

Minimum Recovery Dollars

Parameter MinR

Expressed as the minimum estimated dollar amount an organization would incur to recover from a cyber-attack that is contained to the minimum impact (consequence) only. This cost includes product, services and labor costs associated with incident response and recovery.

Maximum Recovery Dollars

Parameter MaxR

Expressed as the maximum estimated dollar amount an organization would incur to recover from a cyber-attack that is allowed to expand across a digital eco-system over an expanse of time, before an incident is detected and contained. This cost includes product, services and labor costs associated with incident response and recovery

The "back of the envelope" formula to calculate Cyber Value at Risk (C-VAR) is shown below:

Minimum C-VAR =  (VS * L) * (MinI + MinR)

Maximum C-VAR = (VS * L) * (MaxI + MaxR)

Two Use examples are provided below using the Log4j Vulnerability CVE-2021-44228

Use Case 1: A tee-shirt screen printing company with two systems in a digital ecosystem and only 1 system has Log4j installed, and is vulnerable to exploitation:

Min Log4j C-VAR = ((10/10) *0.5) * ($50,000 + $30,000)

Min Log4j C-VAR = $40,000

Max Log4j C-VAR =  ((10/10) *0.5) * ($100,000 + $60,000)

Max Log4j C-VAR = $80,000

Use Case 2: An aerospace manufacturing company with two hundred systems in a digital ecosystem and 100 systems have Log4j installed, and are vulnerable to exploitation:

Min Log4j C-VAR = ((10/10) *0.5) * ($5,000,000 + $3,000,000)

Min Log4j C-VAR = $4,000,000

Max Log4j C-VAR = ((10/10) *0.5) * ($100,000,000 + $75,000,000)

Max Log4j C-VAR = $87,500,000

This article describes a “back of the envelope” method to calculate the Cyber Value at Risk (C-VAR) when a new software vulnerability is reported by CISA and/or NIST NVD that is used to communicate the business risks from new cyber vulnerabilities to a BoD or C-Level executives. Parties seeking a more formal methodology to calculate Cyber Value at Risk are advised to review this material.

People who are unfamiliar with the factors that go into determining risk should check out this handy little tool from OWASP. This tool is part of the OWASP Risk Rating Methodology.

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Discussions
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.

No discussions yet. Start a discussion below.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »