How Do You Measure the Value of Cybersecurity Controls? (Part 1)

In my presentation at the 2017 FAIR Conference (see What Metrics Matter in Risk Measurement?), I laid out some of the failures of metrics programs that report the value of cybersecurity controls. How can your risk management program provide a different metric that truly shows the value of controls?

Let’s step through an analysis together using RiskLens, the FAIR risk model, and NIST 800-53 Revision 5 (draft).

What controls should be in scope?

In NIST 800-53 there are 3 baselines: Low, Medium, High. The baselines provide table d’hôte service of a set of controls organizations can apply to an information system. Let’s focus on the Medium vs High decision point. Specifically, let’s look at the value proposition of Access Controls which:

  • Seek to prevent threat events
  • Are applicable in a High baseline
  • Are not applicable in a Medium baseline

A cursory review of the controls suggests there are 8 controls in the Access Control family which seek to prevent threat events. Only 1 of those controls shows up in the High baseline but not Medium:

AC-10, Concurrent Session Control. “Limit the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number].

What does AC-10 do?

According to the supplemental guidance, this control focuses on system accounts. In short, AC-10 seeks to prevent the likelihood that threats can re-use accounts maliciously while they are also in-use for normal work purposes.

For many mission-critical applications which provide access to treasure troves of sensitive data (think PII) it is reasonable to expect the session limit to be set as low as one concurrent session for each system account. Implementing this control makes it theoretically impossible to re-use the system account concurrently to access and steal data from the application.

Scope your analysis to focus on the value proposition.

Now that we’re clear on the stated goal of AC-10 and have a use case, we can prepare for measurement. Prior to gathering data and running an analysis we must scope-in the correct components. We can follow the FAIR risk analysis process we teach in our self-paced eCourse:

  1. Define the Asset(s) – Let’s stick with our BI application with PII on the backend
  2. Define the Threat(s) – It makes the most sense to focus on highly skilled external hackers gaining access and reusing the system accounts in question. In addition, we may be concerned about insiders re-using credentials for theft
  3. Identify Loss Type(s) – Confidentiality of PII

Our goal is to determine if the implementation cost of AC-10 is ‘worth it’. To support the decision, we need to understand how much risk we run when using a Medium baseline without AC-10 and compare it to a High baseline with AC-10.

In this post we sharpened the axe. We will follow this by using RiskLens Cyber Risk Quantification to perform our analyses, compare their results, and draw some conclusions.

Say tuned for Part 2.