Sometimes, the hardest part of risk management is identifying the areas of weakness within your environment. I would argue, however, that more often than not, the more difficult undertaking is deciding how to address said weaknesses.
This is often done by consulting with an expert in the organization or researching industry best practices. Or--if you’re more interested in an objective, rigorous, and statistical backed method--by conducting quantitative risk analyses to aid in the calculation of ROI for each of the potential solutions.
Recently, I worked with an organization that had identified an area of weakness within their environment: data loss via misaddressed emails containing sensitive information. With the help of the FAIR Model and the RiskLens Cyber Risk Quantification (CRQ) Tool, we assessed the following control alternatives to aid the CISO in reducing the risk associated with the event:
- Email Notification
- DLP Block
- Employee Training
In order to assess the control alternatives, we first had to analyze the current state risk. Based on historical and log data as well as discussions with subject matter experts, here's how we approached the problem, using the components of the FAIR model:
The risk associated with a non-malicious insider (Threat) misaddressing emails containing sensitive customer information (Asset), resulting in confidentiality loss (Effect).
- Between 6 – 18 times per year misaddressed emails were being sent by employees within the organization (Threat Event Frequency)
- There were no preventive controls in place currently, resulting in 100% Vulnerability to the Threat Event (Vulnerability)
- The number of unique records contained per email was between 1 – 250.
- Loss was composed of incident response (Primary Response) and notification, credit monitoring, fines and judgements, etc. (Secondary Response)
- The majority of events (95-99%) would result in secondary effects such as fines, judgements or cost of credit monitoring (Secondary Loss Event Frequency)
After conducting the current state analysis, we then did multiple future state analyses to assess each of the control alternatives. In order to do so, we considered the impact each of the controls would have on the FAIR model and made the related changes to the analyses.
Email notification was the first control considered as it would pose little to no additional cost to the organization. This would be a pop-up notification triggered by the email provider when PII was detected. It would instruct the sender to double check the recipient and attachments prior to sending. Given that this control notifies the sender prior to the email being sent, it reduces the Threat Event Frequency (or number of times per year a misaddressed email containing sensitive information is sent).
One of the other controls considered was a Data Loss Prevention Block. This would scan emails based upon rules set by the organization and block any email identified as containing a given number or greater of PII records from being sent. This control affects the analysis in two places:
- Given it reduces the likelihood of sent misaddressed emails reaching the recipient, it will reduce the Vulnerability component.
- Additionally, given that it effectively caps the total number of records that can be sent, it also reduces the record count and thus reduces the loss magnitude.
The final control considered was less technical and more operational in nature. The organization was considering implementing periodic employee training workshops in order to increase awareness and caution in sending sensitive information. Given this impacts the likelihood of misaddressed emails being sent, it was modeled at Threat Event Frequency.
Based on the results of the analyses, it was determined that implementing DLP block would result in the greatest risk reduction of the control alternatives, $108,000. However, email notification also showed a significant reduction in loss exposure at $64,000 and required little to no investment.
Given the risk reduction, cost, and understanding of productivity implications, the organization was able to determine which alternative would offer the best return on security investment.