Recognising vulnerability in risk management
In a blog for the IoTUK programme, Brian MacAulay and Ismail Khoffi discuss the Benefit Harm Index, providing a way to quantify the estimation of the consequences of cyber-attacks. How do we protect against the unknown unknowns?
The long running animation South Park has for over 20 years mercilessly parodied politicians and celebrities with its satirical and irreverent humour. In episode 163 they released the first of three episodes called Imaginationland, a parody of the ever increasingly apocalyptic scenarios emanating from security agencies in the US about potential terrorist attacks:
“Our imaginations are running wild and we weren’t told?! By attacking our imagination, the terrorists have found our most vulnerable spot…”
Although not their intention (I don’t imagine), the South Park writers highlighted a key weakness in our thinking and efforts to understand and manage key threats – the potential for emergent threats from as yet unknown sources and thus not within our probability risk models. These threats may only become known with more use of ‘imagination’, or more technically, scenario exploration.
As networks become increasingly connected, such as with IoT, and as companies and governments entrust digital systems to monitor and deliver services, the proportion of total value embedded in these systems is growing.
Digital Catapult are working with partners on HERMENEUT, a European Union Horizon 2020 research project that tries to develop “a holistic risk assessment model and approach to cyber-security cost-benefit analysis”. It also tries to incorporate some aspects which are often underestimated; among those are human factors, the role of intangible assets but also the strategies attackers deploy to find vulnerabilities and assets at risk.
Our main contribution is a called Benefit Harm Index (BHI). The document is written in a language accessible for cyber security experts and economists alike. Where appropriate, it explains the economic context, history and how BHI diverges from certain Orthodox economic reasoning, drawing inspiration from the radical economics of the Austrian School. By providing a way to quantify and compare the system’s benefit growth vs. the system’s harm growth, it aims to improve significantly the estimation of the consequences of cyber-attacks.
The BHI report combines insights from cyber security and dynamic economic modeling, integrating the important contribution intangible assets have on growth (as well as some methods borrowed from physics). Quantifying growth of harm and benefit is achieved by classifying it into certain complexity classes respectively; similar to the way computer scientists classify complexity of algorithm running times with regard to the input. For the BHI, a straightforward way to compare these classes of growth is to map a number or “level” to each class. To calculate the BHI for single time in point you simply subtract the “benefit level” from the “harm level”. If the outcome is negative, it indicates that the benefit will eventually be overtaken by the harm, if positive, the opposite is true.
Our approach is not to calculate such a number for a single point in time but rather for relative trajectories and, conscious of the potential for emergence, to monitor periodically. To achieve this, we can compute the components of the relationships (basically a difference between two numbers, each indicating the complexity class), projecting the resulting numbers over time.
The BHI identifies levels of control in terms of identifiable risk and how this can be managed. Risk mitigations imply that the system can be controlled in the presence of threat actors, so that their threat is reduced or effectively removed. The BHI methodology also proposes a taxonomy for the “vulnerability level” of a system.
Vulnerability levels or classes range from unauthorised access, uncontrolled inputs to stochastic systems, and peak in the worst case of a new emergent state of the system. We detail model states of a system in terms of a given scope and phase space with a given resolution, and use this as a measure of its intrinsic lack of controllability, from the perspective of the defenders who legitimately operate the system. Threats and vulnerabilities to components in the system vary fundamentally by class. Each vulnerability level requires radically different types of mitigation. The BHI report details examples of these. The vulnerability level of a component may be changed by reconfiguring components in the system. Some levels of vulnerability must be mitigated across systems, e.g. in the ecosystem.
In conclusion, the report approaches traditional risk modelling from point of view that we cannot claim to know all the possible states for systems at each point in time, the particular trajectories on which they embark and the new state in the future. Humility must play a part and we need to acknowledge that there are aspects we cannot know and cannot control. That does not mean we can’t prepare.
The BHI methodology details the different levels of vulnerability, a taxonomy of dynamic complexity in which systems sit and what this means for mitigation and control. We hope this research is an important contribution to the debate around system security, promoting greater interdisciplinary working and generating insights on new approaches to modelling uncertainty.
The BHI report will be published by Digital Catapult in the summer. It has been written by Paul Galwas and Brian MacAulay, with contributions from HERMENEUT partners.