Why instinctive fear of snakes is not a sound basis for cyber defense
Even though Americans are 20 times more likely to die in a car accident than from a snake bite, fear of cars is far less prevalent. That's because the human perception of risk in the modern age is highly miscalibrated. Steve Grobman, vice president and CTO at McAfee, argues that the cyber world can't escape flawed perceptions either.
Even though precisely measuring which is riskier - skydiving or climbing Mount Everest - seems problematic, the physical world provides metrics to do so. Grobman points to micromort, a unit or risk defined as a one-in-a-million chance of death.
With that metric in mind, it's possible to say that skydiving is a whopping 4000 times less dangerous than climbing the tallest mountain on the planet. Estimates show that a single parachute jump is worth eight micromorts, while the climb to Everest – 37,932.
"We need to use the moral equivalent of the micromort in the way we think about cyber risk, just as we do in the physical world. We need to use science-based data to counteract the influence of social and traditional media and our raw emotions," Grobman said at the RSA Conference last week.
According to him, cyber events have multiple levels of nuance. Therefore, field actors need to consider different aspects of an event. For example, does the event affect a single organization like the Sony hack in 2014, or is it a global event like NotPetya was in 2016.
Grobman offered to layer levels of damage a cyber event would cause. For example, stealing internal planning documents, a human-operated intrusion with a minimal direct impact, can have immense long-term organizational damage.
Another criterion to assess a cyber risk could be comparing whether the risk is active or passive. That means distinguishing between risks people and organizations are exposed to by being connected to the outside world versus risks that arise from business decisions.
"We also need to understand the risk-reward benefit when we choose to engage in high-risk areas, just as a hiker may willingly climb a mountain, even though they know it's inherently risky," Grobman said.
This boils down to considering all possible factors and assessing the risks adequately instead of blindly shooting in the dark.
We need to use science-based data to counteract the influence of social and traditional media and our raw emotions,Steve Grobman.
According to him, the principal component to accurately assess a looming danger is understanding how an event can affect a single organization, how many organizations were affected by an event, and the likelihood of a cyber event occurring in the first place.
"We don't know exactly what type of cyber events will occur in the future, but we can look at frequencies of different scenarios along the vectors," Grobman said, comparing cyber risk assessment to preparations for natural disasters.
According to Grobman, traditional and social media analysis show that many high-profile attacks receiving a lot of attention primarily affect a single organization. He outlined the DNC hack, Equifax, and Ashley Madison data breaches.
Even though these attacks are important and newsworthy, he notes, it's important not to overemphasize the exact playbook that is executed in attack scenarios that play out in cases the media gives the most attention to.
Grobman argues that trickbot campaigns receive little media coverage, even though they act as catalysts for secondary high-impact scenarios.
"For example, a human-operated ransomware attack, engineered to hold the most valuable asset for ransom trickbot, changes its implementation frequently and impacts an extraordinarily large number of organizations," claims McAfee's CTO.
Therefore, the cyber community should start reevaluating how threats and risks are perceived and assessed. Grobman offers to take at least several years' worth of data on various attacks and start profiling them.
"Let's break things into three simple elements we've dealt with for decades: targeted attacks that affect a single organization; indiscriminate malware, such as password stealers and ransomware; and nuisance threats, such as PUPs, and add where one of the things that stands out is the inverse relationship between impact and breadth," he said.
Safety, when safety's due
Speaking at the RCA Conference, Grobman acknowledged that the scope of risks is broadening with an increasing number of sophisticated attacks, the rise of human-operated ransomware, and the so-called 'mega-worms.'
"Since the nineties, the ability for an attacker to use a workable vulnerability to convert victims into attackers remains one of the most powerful adversarial innovations of all time," he said.
On a more positive note, Grobman urged to dedicate more time to understanding the scope and breadth of possible cyber-attacks since limited budgets can cover only so much.
This means that it's impossible to safeguard against everything, but it makes more sense to understand key threats to maximize returns on cybersecurity investments if that's the case.
Connecting his example to a real-life scenario applicable to Texans, he explained that many more people die from slipping in the bathtub than from tornadoes. Therefore, it makes much more sense to invest $6 in a bathmat than $4,000 in a tornado shelter.
"Implementing multi-factor authentication likely reduces more risk than mandating third-party code audits in an attempt to address supply chain attacks. My call to action for you is this: let's make the best cyber defense decisions possible," Grobman said.
More from CyberNews:
Subscribe to our newsletter