Now, the challenge with the indications approach we discussed last time, is that there are potentially unlimited numbers of scenarios. To break out of this, cyber risk analysts must spend significant time contemplating:
- What is it that we absolutely cannot allow to happen?
- What cyber risk event would really devastate us?
- What scenarios has my organization not even considered?
For each of these questions, the analyst must ask “how hard would it be/how much would it cost for the adversary to do that”?
This line of thinking is a fantastic departure from traditional risk management approaches that tell us to rely on concepts like “probability”, “likelihood”, and “frequency”.
Ironically, thinking about the way things have always happened in the past lulls you into the trap of strategic surprise.
Several years ago the US Department of Energy worked with the North American Reliability Corporation to produce a report on High Impact Low Frequency risk events.
It was a neat effort that brought together an able group of thinkers. But no where did it address the issue of adversary cost.
In prioritizing defensive investments for high impact cyber scenarios, we cannot afford to apply historical, model-able, “fit-to-a-curve” approaches. Those models simply do not apply to intelligent adversaries.
Instead, I advocate replacing HILF with HILAR (High Impact Low Adversary Resources). If we don’t, I’m afraid the result won’t be so funny.