Ira Winkler - You CAN Stop Stupid

Technical countermeasures are technological in nature. Technical countermeasures have a broad scope that extends beyond computers and information. For example, to stop car thefts, which are physical in nature, there is technology that can deactivate the engine remotely. Given the Internet of Things (IoT), almost any piece of equipment, no matter how basic, can now implement technical countermeasures.

Technical countermeasures mitigate some form of UIL by providing protection, detection, and/or reaction capability. Protection involves the user not having the ability to initiate loss, either because an attack is filtered or because the user does not have the ability to initiate the loss in the first place.

Detection can involve two aspects of the UIL problem. Technology can detect that malicious parties are attempting to interact with users or that a user has done something that can initiate a loss. So, for example, you can detect phishing messages are being sent to users. Another example is that you may detect that a user is attempting to go to a malicious website.

Obviously, the circumstances of reaction are similar. If you detect attacks targeting users, there are a variety of technologies that can react to and mitigate the attacks before they get to the users. Also, if you detect a user action that might initiate loss, you can then mitigate that action in progress. Following up with examples described in the previous paragraph, detected phishing messages can be deleted before reaching the user. The messages can also be analyzed, and any websites or Internet systems involved can be proactively blocked and reported. If you detect a user going to a malicious website, you can lock the user's account, block the website, or investigate the user to see whether the action is malicious or perhaps is being made by a person who has compromised the user's account.

Technical countermeasures can be the failsafe for a security and risk mitigation program. Users will fail. Procedures will fail. However, if you have the right technology in place, you can detect and react to the other failures. Obviously, technological countermeasures can also fail. However, if you implement the methodology in Part IVproperly, technical countermeasures can be your first and last line of defense.

When people think of risk, there is frequently an unstated assumption that risk should be minimized. This assumption is wrong. Risk is about balancing loss with the cost to mitigate the loss. This balance should be optimized, not minimized.

Minimizing loss implies that you do absolutely everything possible to stop a loss. That is far from practical. Consider what you might do to minimize your chance of being robbed or accidentally injured on the street. You can buy an armored car that is heavily weighted and has a reinforced metal frame. You can hire a driver so that you can stay in the back in a padded area. You can travel surrounded by armed bodyguards and escort vehicles.

Taking these measures would minimize a great deal of risk, but they would not guarantee your safety and would likely cost more than you stand to lose from an injury or robbery. In fact, for the average person they would be prohibitively expensive. On the other hand, if you were carrying a great deal of money in a high-risk area, some of these precautions might be more practical. The important point is that the cost of your countermeasures is balanced with your potential loss.

NOTERisk optimization is clearly a complicated concept that we cannot do justice to within a reasonable length. For those people who want to look further into this topic and want to be more effective in a risk mitigation position, we recommend the work of Lawrence Gordon and Martin Loeb. Their book, Managing Cybersecurity Resources: A Cost-Benefit Analysis (McGraw-Hill Education, 2005), is a helpful work on the subject.

Figure 4.2depicts the relationship of the cost of countermeasures compared to potential loss. The vertical axis represents cost. The curve that begins on the top left represents the potential loss associated with your vulnerabilities. The curve that begins at the bottom left represents the cost of your countermeasures. Figure 4.2assumes that you are implementing the countermeasures that are appropriate to your organization's needs.

As you can see, when countermeasures are 0, your potential loss is at its maximum. As you begin to implement countermeasures, your vulnerabilities begin to be mitigated and your potential loss decreases. Your potential loss should decrease rapidly, as there is usually a strong payback with the initial and practical countermeasures.

Figure 4.2 Cost of countermeasures compared to vulnerabilities

At some point, however, the cost of your countermeasures exceeds your potential loss. This is when you know that you are spending too much on countermeasures. The users running your security program can actually drain finances disproportionately to benefits, which effectively creates another form of loss.

Keep in mind that there can also be intangible forms of loss other than monetary, such as loss of life, reputational costs, and so on, and these might justify spending more than would otherwise be justified. Even then, you want to try to place a potential monetary value on such intangible loss and not put excessive investment into countermeasures.

Generally, you want the cost of your countermeasures to be significantly less than the potential loss. If you invest in countermeasures to the point where they exceed the potential loss, you are also likely wasting a great deal of money. In Figure 4.2, the area under the vulnerabilities line represents potential loss, not actual loss. It is rare that all potential loss becomes fully realized into actual loss.

For these reasons, you want to determine a good point where you have mitigated most of the potential loss and a minimal amount of potential loss might be acceptable. You will never be completely free from risk or loss, but you can consciously prepare for optimizing the loss. Figure 4.3represents this concept by introducing the risk optimization point to the vulnerabilities/countermeasures balance.

As you can see in Figure 4.3, the risk optimization point is located where vulnerabilities have greatly decreased while the relative costs of their countermeasures have only modestly increased. The implication is that a reasonable investment in your security program's countermeasures dramatically mitigates potential loss. Clearly, the location of the risk-optimization point relative to the vulnerabilities/countermeasures balance will vary depending on your organization's specific needs. You want to determine the level of potential loss that you are willing to accept and then determine the costs of the countermeasures that will reduce your potential loss to that level.

Figure 4.3 The risk optimization point

That might sound obvious, but that is not the way security programs are typically budgeted. Security programs generally get some percentage of the IT budget and then have to determine how to spend that money. Obviously, this number is frequently inadequate, which results in major losses.

Understanding that last sentence is essential. There is typically no relationship between the potential loss a security program is trying to prevent and the budget the organization is willing to allocate. That is a critical issue that will lead to the failure of the security program.