How Superforecasting Can Help Improve Cyber-Security Risk Assessment

SAN FRANCISCO—Understanding and evaluating risk is always a hot top for security professionals. 

At the RSA Conference 2019 here on March 5, Palo Alto Networks Chief Security Officer Rick Howard ran a session on an advanced method known as "Superforecasting" that can help organizations go beyond basic heat maps to better evaluate and define risk. In a video interview with eWEEK, Howard outlines the core elements of the Superforecasting approach and explains how it can help organizations make better cyber-security decisions.

"How can we as cyber-security practitioners forecast risk in our organizations? There has got to be a better way," Howard said. "The way I've been doing it my whole career is wrong."

The way that Howard and many others have typically assessed risk is with the use of heat maps. With a heat map, an organization builds a risk register and identifies when a given item is high impact and high probability and then they are stacked in a graph.

Superforecasting makes use of latency curves, Monte Carlo simulations and Bayes algorithm. A latency curve is a statistical technique used to model growth, while a Monte Carlo simulation is an approach used to help determine the impact of risk and uncertainty. Bayes algorithm provides a method for classifying data for predictive modelling. With a latency curve, Howard said that on the x-axis of the graph is a measurement of how much money an organization would lose if something happens and on the y-axis is the probability.

"What that gives you is a picture of the inherent risk to the organization," he explained.

Fundamentally the question that Howard said he and other security professionals need to answer is, What is the probability that the organization will be materially impacted by a cyber-security event within a certain period of time?

Reducing Risk

According to Howard, there really are only four ways to reduce risk.

  • Avoid the risk. If an organization doesn't have the tolerance for a given impact, Howard said they can just not do the thing that leads to the risk.
  • Delegate the risk. An organization can choose to offload the risk to a third-party provider that will take over responsibility for operating the activity.
  • Improve operations. Howard suggests that one option to reduce risk is to use people, processes and technology to improve the risk front.
  • Buy insurance. With cyber-security insurance, an organization can help to mitigate the financial impact of a potential risk.

There isn't necessarily a direct relationship between an organization's cyber-security budget and risk. Howard said that different organizations have different levels of tolerance and that maps to what they are willing to spend, or not spend.

"You need to be spending money to reduce the risk that you don't tolerate," he said.

Watch the full video interview with Rick Howard above.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.