Introduction of Cybersecurity Event Likelihood Scoring Model
I've faced challenges with the "Likelihood" factor in risk assessments, and I'd like to introduce the systematic approach I've developed to address this issue. Feel free to adopt this method, and by the way, I've included a Google Sheets template at the end of this article for your convenience.
See the Model template at the bottom of this post.
Concept of the Cybersecurity Event Likelihood Scoring Model
The overall concept of the Cybersecurity Event Likelihood Scoring Model is to provide organizations with a structured and data-driven approach to assess the likelihood of successful cyberattacks. This model incorporates various components and metrics to create a comprehensive view of an organization's threat landscape.
Components of the Model
Common Threats: A list of typical cybersecurity threats that an organization may face, such as phishing attacks, ransomware, and SQL injection.
Threat Description: A brief description of each threat to provide context.
Historical Occurrence: Measures the frequency of past occurrences of each threat, either within the organization or in the industry.
Threat Actor Capability: Assesses the skills, resources, and sophistication of potential threat actors.
Ease of Exploitation: Evaluates how susceptible the organization's systems are to each threat.
Industry Trends: Considers the prevalence and evolution of each threat within the industry.
Prevalence: Incorporates the most up-to-date information on each threat.
GCC Effectiveness Factor: Evaluates the effectiveness of the organization's key General Computer Control (GCC) to mitigate each threat.
Likelihood Score: A calculated score that takes into account all the above factors to estimate the likelihood of each threat materializing.
Key GCC Controls: Recommended key GCC control that could mitigate the threat.
The "Historical Occurrence" column in the risk assessment table quantifies the frequency with which a particular type of cybersecurity threat has occurred in the past, either within the organization or in the industry at large. This metric is scored on a scale of 0 to 4, with 0 indicating no known occurrences and 4 signifying frequent occurrences. The historical occurrence score serves as an empirical indicator of the likelihood that a specific threat could materialize, based on past data. By analyzing historical trends, organizations can better understand their threat landscape and allocate resources more effectively to mitigate risks. This aligns with the NIST guidelines for risk assessment, which emphasize the importance of historical data in evaluating the probability of future cybersecurity events.
Threat Actor Capability
This metric assesses the capabilities of potential threat actors, considering factors such as technical skills, resources, motivation, past success, and sophistication. A higher score indicates that threat actors targeting the organization or industry are highly capable, necessitating more robust cybersecurity measures for effective risk mitigation. This metric aligns with NIST's risk assessment framework, emphasizing the importance of understanding the capabilities of threat actors for assessing the likelihood of cybersecurity events and planning appropriate countermeasures.
Ease of Exploitation
This metric evaluates how easy it is for potential attackers to exploit vulnerabilities. It considers factors like internet exposure, the presence of publicly accessible exploit code, accessibility for attackers, authentication barriers, user involvement, attack complexity, network security measures, patch status, timing sensitivity, and external dependencies. A higher score indicates greater ease of exploitation. This metric helps organizations assess the likelihood of successful attacks based on the ease with which vulnerabilities can be exploited.
Industry trends play a vital role in understanding the threat landscape. Different sectors face varying levels of cyberattacks. This metric rates the prevalence of cyberattacks in key sectors on a scale from Very Rare (0) to Very Common (4). It provides insights into the frequency and severity of attacks in sectors such as financial services, healthcare, government, energy, retail, manufacturing, education, technology, transportation, and critical infrastructure. Analyzing industry metrics allows organizations to prioritize resources to defend against prevalent threats specific to their sector.
This metric rates the prevalence of specific threats on a scale from Very Low (0) to Very High (4). Factors considered include public awareness level and system obscurity. A higher score suggests a higher likelihood of a specific threat or range of threats, requiring immediate attention and possibly preemptive action.
General Computer Controls (GCC) Effectiveness Factor
The GCC Effectiveness Factor assesses the effectiveness of the organization's key General Computer Controls (GCC) in mitigating specific threats. It rates GCC effectiveness on a scale from No Effectiveness (0) to High Effectiveness (4). Factors considered include access controls, data encryption, network security, monitoring and auditing, incident response, and patch management. A higher GCC Effectiveness Factor indicates that the organization's GCCs are highly effective in reducing the likelihood of a successful attack. The model allows for the customization of the impact of GCC effectiveness on the overall likelihood by adjusting the Criteria Weight for GCC Effectiveness. Note: The GCC effectiveness score must be reasonably high before it has any effect on the overall Likelihood Score.
Adjusted Likelihood Score
The Adjusted Likelihood Score is derived by considering all the factors mentioned above, including historical occurrence, threat actor capability, ease of exploitation, industry trends, prevalence, and GCC effectiveness. It adjusts the initial likelihood score to reflect the overall risk landscape. The Adjusted Likelihood Score ranges from Very Low Likelihood (0.0-0.9) to Very High Likelihood (4.0).
Threat Scoring and Weighting in Risk Assessment
In the realm of risk assessment, the practice of assigning weighted likelihood criteria scores ranging from 0.0 to 0.9, with a cumulative weight of 1.0, is a widely adopted approach. This methodology enables organizations to prioritize risks according to their relative importance. Here's a breakdown of how it functions:
Weighting Likelihood Criteria: To accurately reflect the varying significance of different criteria, weights are associated with these scores, expressed as values between 0.0 and 0.9. It is essential that the total of all weights for a given Likelihood Criteria equals 1.0. This practice empowers organizations to give priority to specific threats that hold greater criticality or relevance within their unique context.
Significance of Weighting: The act of weighting recognizes that not all criteria carry the same weight in terms of their importance to the organization. It grants organizations the ability to channel their resources and efforts toward mitigating the most substantial risks.
Total Likelihood Score: For a particular risk assessment, the total risk score is computed by multiplying each threat score by its corresponding weight and subsequently summing these weighted scores. This outcome yields a singular, weighted risk score that provides a more comprehensive view of the overall risk landscape.
Adaptability: This weighting system offers organizations the flexibility to tailor their risk assessments to align with their specific requirements and priorities. For instance, if adherence to specific regulations is a top concern, higher weights can be designated to threats associated with regulatory violations.
By systematically evaluating each threat against these metrics, this model provides a robust, data-driven foundation for cybersecurity risk management. It enables organizations to prioritize their security measures effectively and aligns well with established cybersecurity standards like those provided by NIST. This comprehensive approach empowers organizations to make informed decisions and allocate resources where they are needed most to protect against cyber threats.
Likelihood Scoring Worksheet
These scores are suggestions and should be tailored based on your organization's specific circumstances (in this case Healthcare) and the most current threat intelligence. The table provides a structured way to evaluate the likelihood of different types of cybersecurity events, taking into account the effectiveness of existing controls.