Exposure Index

Exposure IndexAn IT Security Speedometer Approach

Holger Himmel, Dr. Aleksandra Sowa

“Everything should be made as simple

as possible, but not simpler.”

Exposure = Threat + Vulnerability

= +

Data Breach = Hacker + Weak Encryption

Exposure Index = Threat Index + Vulnerability Index

Step One – Sort your Metrics

Question: Do your metrics measure threats or do they measure how vulnerable

you are?

IDS alerts

Client-side malware incidents

Firewall scans Failed login

attempts

Applications

up to date

Operating system

update quote

Attacker activity

on honeypot

Employee awareness

training quote

Number of

phishing mails

blocked

Accounts with

administrative

priviledges

Server

hardening

There are hundreds more…

Malware-pattern

update quote

Step One – Sort your Metrics

Your vulnerability metrics cluster like that:

“[…] the most important figures that one needs for management are unknown or

unknowable […], but successful management must nevertheless take account of

them.” - W. Edwards Deming

Step Two – The Vulnerability Index

1. Normalize your metrics.

What does it mean if your (whatever) metric says “89,2%” or “1,630”?

Is it good or bad?

Normalization puts the metrics into your context and lets you define what is

“good” and what is “worst case”.

To make it simple, lets give “good” a “0” and “worst case and beyond” a “10”.

In this example, 100% (protection) is “good” (=0) and “worst case” is “80%” (=10).

The scale is linear. Our metric delivers a value “89,2%”. So it is a “6”.

Normalization Scale

80,00% 10

82,00% 9

84,00% 8

86,00% 7

88,00% 6

90,00% 5

92,00% 4

94,00% 3

96,00% 2

98,00% 1

100,00% 0

„89,2%“ „6“


2. Give each metric a weight to adjust the impact in your index system

There are metrics, measuring your vulnerability (or protection-level) that are

more important than others. Giving them an index weight, gives you the

possibility to increase the metrics impact in the index.

To make it simple, lets give “normal” a “1”.

So you got normalization and weight. Lets put it together:

Normscale

Value Norm. Index Weight 0 1 2 3 4 5 6 7 8 9 10

Metric 1 100,00% 0 1 X

Metric 2 92,70% 8 2 X

Metric 3 60,00% 10 1 X

Metric 4 99,70% 1 1 X

Metric 5 99,00% 1 1 X

Metric 6 80,10% 4 1 X


3. Calculate the score

The formula is:

��(�) = [�� ∗ �� ]�� !"

#Normscale


Metric 1 100,00% 0 1 X

Metric 2 92,70% 8 2 X

Metric 3 60,00% 10 1 X

Metric 4 99,70% 1 1 X

Metric 5 99,00% 1 1 X

Metric 6 80,10% 4 1 X

Score = 0*1 + 8*2 + 10*1 + 1*1 + 1*1 + 4*1 = 32

Every child in elementary school should make it. It‘s simple!


4. Calculate the index value in %

The formula is:

��$�� %��&'$��( = ��∑ [* (�� ∗ �� ]�� !"#

∗ 100

��$�� %��&'$��( = 3210 ∗ 1 + 10 ∗ 2 + 10 ∗ 1 + 10 ∗ 1 + 10 ∗ 1 + 10 ∗ 1 ∗ 100 = 32

70 ∗ 100 = 45.7

Normscale


Metric 1 100,00% 0 1 X 10

Metric 2 92,70% 8 2 X 20

Metric 3 60,00% 10 1 X 10

Metric 4 99,70% 1 1 X 10

Metric 5 99,00% 1 1 X 10

Metric 6 80,10% 4 1 X 10

Score 32 70 (=100%)

Step Three – The Threat Index

Your threat related metrics cluster like that:

All threat metrics have one thing in common: You‘ve got nearly no possibility

to control them.

“Blocked phishing mails” is a good example for metrics, you can’t influence.

You can’t set a goal like “Next month, I only want to count 100,000 blocked

phishing mails.” On vulnerability metrics, you are able to set goals:

“Next month, I want my malware patterns to be 100% up to date.”


1. Normalize your metrics. (That’s a little bit more tricky.)

Example: You measure 200,000 blocked phishing mails last month. Good or bad?

When you got an average of 6,000,000 blocked phishing mails per month, it’s

“good”. If you count 4,000 in average, it’s nearly “worst case”.

Thus, putting your threat related metrics in an historical context seems to be a

good idea.

Date Phishing Mails

August-14 943,407

September-14 1,632,682

October-14 1,218,232

November-14 898,688

December-14 1,211,293

January-15 1,228,161

February-15 660,670

March-15 1,920,309

April-15 1,286,725

May-15 983,008

June-15 691,404

July-15 824,108


1. Normalize your metrics.

One way to do it: Pick up 3 maximum values and calculate the average. That’s your

“worst case” (10) in your norm scale.

Example: You got these 12 historical values and your norm scale calculation is:

Maximum Three

1,920,309

1,632,682

1,286,725

Average

1,613,239

Normscale Absolute value Normalized Value

0% 0 0

-10% 161,324 1

-20% 322,648 2

-30% 483,972 3

-40% 645,295 4

-50% 806,619 5

-60% 967,943 6

-70% 1,129,267 7

-80% 1,290,591 8

-90% 1,451,915 9

90% and more 1,613,239 10

Your most recent value is „755,432”. Which gives you a normalized “5”.


2. Calculate the index value in %

The next steps (weight, score count) are similar to the vulnerability index.

4�� '$��( = 71100 ∗ 100 = 71

Normscale

Internal metrics Recent Comparison Percent Normalized Index Weight 0 1 2 3 4 5 6 7 8 9 10

Metric 1 755.432 1.613.239 46,8% 5 1 X 10

Metric 2 133 173 77,0% 8 2 X 20

Metric 3 521 639 81,6% 9 1 X 10

Metric 4 145 178 81,6% 9 2 X 20

Metric 5 11 16 67,3% 7 3 X 30

Other threat metrics

Cybersecurityindex.com 2.814 2.764 1,8% 2 1 X 10

Score 71 100

Step Four – Putting it all together

Calculate the Exposure Index

5(6�7��'$��( = ��$�� %��&'$��( + 4�� '$��(2

5(6�7��'$��( = 32 + 712 = 89. 8

Feel free to calculate differently!

32

71

51.5

Step Four – Putting it all together

low vulnerability

low or less threats

high vulnerability

high or many threats

high vulnerability / low or less threats

low vulnerability / many threats

Exposure = Threat + Vulnerability

The Model is…

• …scalable to suit any organization size, from small business to

big multinational companies

• …based on systematics of the German Federal Office for

Network and Information Security (Bundesamt für Sicherheit

in der Informationstechnik, BSI)

• …customizable, since based on metrics

• …efficient, if the appropriate metrics are chosen

• …flexible, since based on continuous security deployment

• …implementable as maturity model, if the set of metrics is

kept constant

• …brain-based - not only evidence-based

Last words

• The Exposure Index should be a starting point for drill-down

analysis

• Mind the “blind spot”!

• Suite the model to your needs

• It’s a model developed for the senior management

• Add metrics you need

• Make it simple, but not too simple!

• Your business intelligence team can support you!

• Start automation as early as possible

• Shorten your metrics-reporting-cycle (from monthly to

weekly, to daily)

• Define realistic norm scales

Feedback appreciated

Holger Himmel

[email protected]

https://de.linkedin.com/in/holgerhimmel

Dr. Aleksandra Sowa

[email protected]

https://de.linkedin.com/in/asowa

Further literature (german)

- H.Himmel, Index der Gefährdungslage, IT-Governance, May 2015, p. 17

- H.Himmel and A.Sowa, Ein Tacho für IT-Sicherheit, <kes> - Zeitschrift für

Informations-Sicherheit, August 2015, p. 37

Credits

Picture of Albert Einstein: Photographer: Yousuf Karsh, archived by www.calie.org

Tachometer: www.clker.com

Exposure Index

Technology

Transcript of Exposure Index