    .    
 

 . 


.      
           .        ,         .    ,    ,        ,             .

  PDF A4    .





 . ,  

    .    


  :

  ,          .    , ,  ,   ,     ,   ,     .


  :

    : , ,   .         ,      .      .


             ,    .



HOW TO MEASURE ANYTHING IN CYBERSECURITY RISK

Douglas Hubbard, Richard Seiersen, Daniel E. Geer, Stuart McClure

 2016 by John Wiley & Sons, Inc.

All Rights Reserved. This translation published under license with the original publisher John Wiley & Sons, Inc.



  ..,    , 2023

 .   , 2023












             :  .      -.



 .   ,   

      .         Kerberos,     -,                In-Q-Tel.       ,     .  -,   , ,     .


         .    .   ,          


.   , , ,         :        ,  ,  ,       ,       .             .

     ,    .      ,       ,      .     ,      ,    ,    .  ,      .         .

    ,     .     ,     .   ,  ,     ,  ,     ,   ( ) ,     .   ,     ,         .   ,      ,     .

     -  .    ,                ,       -  .        :

,  ,  ,     :

   ?

   ,         ?

    ?

         ?

      ?



       .            .     .

       ,          ?,    ?.  ,     ,                   ?

- ,    ,       .   ,    .      ,       .   ,   , ,      ,      ,     ,       .    ,     ,     .          .

   ,       ,   ,     .  .    .     ,       ,   ,           .   ,  ,         ,   .

   ? , .




1.Daniel Geer, Jr., Kevin Soo Hoo, and Andrew Jaquith, Information Security: Why the Future Belongs to the Quants, IEEE Security & Privacy 1, no. 4 (July/August 2003): 3240, geer.tinho.net/ieee/ieee.sp.geer.0307.pdf.









 -

 -     Cylance,      McAfee,        .


       :   ,   . ,  ,         . ,             ,     ,           - ,     .

          ,      .       ,     .              :     ?

    ,    : .    .         ,    ,      : , . ? ,       .     ?    .

           InfoWorld  Ernst & Young,      Foundstone,       McAfee,   Foundstone,      Cylance        ,    ,   .      ,                        .

  ,   ,     ,           ,    .

    ,    ,      ?         ?.         .         . ,          ,   - :   ,    .

            ,      ,   ,    ,    .     ,       ,     ,          ,  ,   .            .    .     -       ,    .







     :

 

 

 

 

  

 

 

 

 

 

 

 

- 

 

 -

 

 

 

 SIRA.org

 

 



         .




 


           Hubbard Decision Research.                 ,  .     [1 - .: -, 2009.] (How to Measure Anything: Finding the Value of Intangibles in Business),    The Failure of Risk Management: Why Its Broken and How to Fix It (   :        )  Pulse: The New Science of Harnessing Internet Buzz to Track Threats and Opportunities (:       ).           ,     ,     100 000 .                 27      ,    , ,  ,  , ,    ,  ,     ,  ,    .       ,   Nature, The IBM Journal of R&D, Analytics, OR/MS Today, InformationWeek  CIO Magazine.



         20-      ,     .              GE Healthcare.   ,      ,     ,  ,   .         -,        .   ,  ,  ,             -  .    ,  ,   ,       .








     ?

     ,          ,  .     .              ,  .         .

       .       ,     .           (    ,     ,  ,    ..),      .

 ,    ,    .                     ,    ,        .    -  ,                .

, ,    ,              .


   ?

       ,             ,  ,    :

     ,        ?

      ,  ,          ?



 ,           ,         ,           .    ,        ,    .   ,  ,       ,   ,         ,      .  ,      ,            ,     .              .


 

 ,      ,    .  ,    ,       ,        .  ,      .

         . ,     ,       . , ,  ,                  .    ,               .


    ?

    ,     ,    ,    .

  ,           (      ).

    ,       .

        ,       /  ,    .



     ,   .        .             , ,  ,   ,   .


  

       .     ,   .  ,       .         ,           .   ,       -   ( ,  ) ,   .    -       .


   ,   

  ,          ,    ,        .   ,  ,       ,    ,            ,   ,      .


   

          .     ,  , ,    ,       .            ,     ,       .  ,        ,     ,        .

            .  ,             .

,       ,        .   ,         ,         .




 I.            





 1.    


   ,    .

.  .   [2 - . . .]


 11  2001          ,   ,        .   12           : .    . ,  14  2013 


           , :



 ,    ,     ,      ,     .


       .    2001 ,   ,       ,    ,          ,       ?  ,    ,     .

 ,  ,      ,  ,     ,   ,   .   ,   , ,    ,     ?    , ,   .    ,  , ,   ,      .

     .             . ,     ,  ,          ,  .  ,           .                        .     :

    ;

        , ,     (   ,     );

            ,      ,   .



  ,     .        .       ,     .    ,    ,      SQL-.      ,           .

    ,     .        .        ,          .       , ,    ,     ,     .




  


,  ,        ,      ,       .  ?  ,    ,            ,     ,   , ,      .      , , ,    .        ,    ,   ,      ,    .

       ,   2015     14 000    ,   1800   , ,      ,  :



  ,             ,       ,     .   ,        .

(ISC)


   , 2015 




       .    ,  , ,      400 . 


.  2014    1     , -   Forbes     


.  , , ,   :    .

 ,     XL Catlin,    , ,         ,       42     


.      ,      ,   ,                  Anthem, Target  Sony.  XL Catlin        ,     .   ,             ,         .

            ?      (attack surface).         .       .       ,   .   ,  , ,    .        ,       Home Depot, Target, Anthem  Neiman Marcus,       ,            .      .          (, ,   ).

          ,   ,       


.        ,       ,           .      ,           ,     .       ,     ,  , ,  . ,      Target        ,    .

,   ,   ,   ,      :       ,   .             ,    ,       .       ,         :      ,    ,               ,        ,      .

     .  -           2001  2014  ( 500  3).   ,         ,      ,   ,       (,       )


.  ,      -       .

      -.    ,  ,   ,      ,        ,     .   .   . ,  2001     -     ,   ,   2014  1.                  .      Gartner   ,       2015      30%    2014-   4,9,   2020-   25


.           .         (NSTAC) ,     ,         ,      ,     .     ,         


.

   .               .   -        ,         .        ,  ,         .            ,    .

    .     ,        .  ,   Target    ,   ,          .    Target  ,     ,   ,       .       ,           .         ,     ,     .   ,              .



 ,         .           ,      .

     ?     .   ,    .        , , ,       .              .     ,    Target, Anthem  Sony, ,      .




  


  ,       .  , ,         .   ,    ,    ,    .

  ,           .         , ..   ,  , , ,   .    ,    .          , ,   ,      .

       ,     .         ?,   ,  Sony?          ?.       ,          .       Fortune (Fortune 100)  20  ,          ,   .  CFO Magazine ,    2008         


.              ,      ,    .       Target -     


,       JPMorgan,     


.

               ,     (, ,      )       .

   11        4,1 .


  2015     ,    ,   36,7 .




   1,4 .   ,  


.

,   ,      ,       


.



             ?     ,     . ,      ,    ,      .    , ,   .., ,     () .     ,    ,      ,        .             .

          ,        ,   ,      .      , ,    .          ,          .      ?     ,       ?  ,      ,             ?

,      ,      .        ,   ,     ,      .       ,   ,  . ,     ,      .        ,        .    ,  ,      ,   ,  ,  .

         ,     1  5,            (  -:  ,  ,    ..).        ,    ,      .1.1. ,       ,       ,                 .   ,    ,           . ,      ,  ,    .






.1.1.    (      )



                ,        (National Institute of Standards and Technology, NIST),     (International Standards Organization, ISO), MITRE.org        - (Open Web Application Security Project, OWASP).  ,  , ,               .      ,    ,  Oracle, Microsoft  Adobe,       NIST         (Common Vulnerability Scoring System, CVSS).  ,         CVSS    ,      .              , ,            ,   .

                 .                 .

      ,      ,   ,    ,   .        ,     :



        ,   ,     .        ,   ,       .       .    ,    ,   .

OWASP


 ( . . ., . .)

    ? ,          ,  ,   .   ,       .            , , ,     .

        .  .   .   ,    ,       ,    (       4  5).

 ,         ,    ,   .

,  ,          .         ,   ,    (          5).

   , ,    .         ,            (    ).

        ,  .

 ,    , ,        .    (       ),    ,        .



,            ,     ,       .            ,        ,     ! ,                    .        ,           .

    

        ,   ,    ,       .      , ,            .       ,  , ,     . ,  ,        ,     .

     .         .     ,     .

          ,     .    ,   ,    ,  ,   ,            .       ,       ,        .

  ,           .      ,   ,   ,  ,        .

    .    ,    .                  .             .

        .    ,  .    ,  ,   ,   .              .  ,         ,    .



    ,    -    .       ,    ,     ,     ,     .   ,     .  ,      ,   ?     .            ,   ,     ,       ,       .

             ,     ,    .    ,       ,                   (  ,   ).

       :       ,                .           .

            .      ,                 .




1.Greg Miller, FBI Director Warns of Cyberattacks; Other Security Chiefs Say Terrorism Threat Has Altered, Washington Post, November 14, 2013, www.washingtonpost.com/world/national-security/fbi-directorwarns-of-cyberattacks-other-security-chiefs-say-terrorism-threat-hasaltered/2013/11/14/ 24f1b27a-4d53-11e3-9890-a1e0997fb0c0_story.html.

2.Dan Waddell, Director of Government Affairs, National Capital Regions of (ISC)


 in an announcement of the Global Information Security Workforce Study (GISWS), www.isc2.org, May 14, 2015.

3.Stephen Gandel, Lloyds CEO: Cyber Attacks Cost Companies $400 Billion Every Year, Fortune.com, January 23, 2015, http://fortune.com/2015/01/23/cyber-attack-insurance-lloyds/.

4.Sue Poremba, 2014 Cyber Security News Was Dominated by the Sony Hack Scandal and Retail Data Breaches, Forbes Magazine, December 31, 2014, www.forbes.com/sites/sungardas/2014/12/31/2014-cybersecurity-news-was-dominated-by-the-sony-hack-scandal-and-retaildata-breaches/#1c79203e4910.

5.Kevin Haley, The 2014 Internet Security Threat Report: Year Of The Mega Data Breach, Forbes Magazine, July 24, 2014, www.forbes.com/sites/symantec/2014/07/24/the-2014-internet-security-threat-reportyear-of-the-mega-data-breach/#724e90a01a98.

6.Matthew Heller, Lloyds Insurer Says Cyber Risks Too Big to Cover, CFO.com, February 6, 2015, ww2.cfo.com/risk-management/2015/02/lloyds-insurer-says-cyber-risks-big-cover/.

7.Jim Bird and Jim Manico, Attack Surface Analysis Cheat Sheet. OWASP.org. July 18, 2015, www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet.

8.Stephen Northcutt, The Attack Surface Problem. SANS.edu. January 7, 2011, www.sans.edu/research/security-laboratory/article/did-attacksurface.

9.Pratyusa K. Manadhata and Jeannette M. Wing, An Attack Surface Metric, IEEE Transactions on Software Engineering 37, no. 3 (2010): 371386

10.Gartner, Gartner Says 4.9 Billion Connected Things Will Be in Use in 2015 (press release), November 11, 2014, www.gartner.com/newsroom/id/2905717.

11.The Presidents National Security Telecommunications Advisory Committee, NSTAC Report to the President on the Internet of Things, November 19, 2014, www.dhs.gov/sites/default/fi les/publications/IoT%20Final%20Draft%20Report%20112014.pdf.

12.Alissa Ponchione, CISOs: The CFOs of IT, CFO, November 7, 2013, ww2.cfo.com/technology/2013/11/cisos-cfos/.

13.Matthew J. Schwartz, Target Ignored Data Breach Alarms, Dark Reading (blog), InformationWeek, March 14, 2014, www.darkreading.com/attacks-and-breaches/target-ignored-data-breach-alarms/d/d-id/1127712.

14.Elizabeth Weise, Chief Information Security Officers Hard to Find  and Harder to Keep, USA Today, December 3, 2014, www.usatoday.com/story/tech/2014/12/02/sony-hack-attack-chiefinformation-security-offi cer-philip-reitinger/19776929/.

15.Kelly Kavanagh, North America Security Market Forecast: 20012006, Gartner, October 9, 2002, www.bus.umich.edu/KresgePublic/Journals/ Gartner/ research/110400/110432/110432.html.

16.Sean Brodrick, Why 2016 Will Be the Year of Cybersecurity, Energy & Resources Digest, December 30, 2015, http://energyandresourcesdigest.com/ invest-cybersecurity-2016-hack-cibr/.

17.Deborah Gage, VCs Pour Money into Cybersecurity Startups, Wall Street Journal, April 19, 2015, www.wsj.com/articles/vcs-pour-moneyinto-cybersecurity-startups-1429499474.

18.PWC, Managing Cyber Risks in an Interconnected World: Key Findings from the Global State of Information Security Survey 2015, September 30, 2014, www.pwc.be/en/news-publications/publications/2014/gsiss2015.html.

19.OWASP, OWASP Risk Rating Methodology, last modified September 3, 2015, www.owasp.org/index.php/ OWASP_Risk_Rating_Methodology.




 2.      


   ,           ,        .

 .   .   ,   ?





  ,         ,          ,         .   ,   ,    ,        ,     .       ,       ,  .     .         ,    .        , , ,   .       ,    .

  ,    ,    -,    ,   .         ,     : ,   .         (   5),      .

1. .     .       ,       .

2. .      ,   .      .

3. .     .           ,   ,   ,  ,    , , ,    .

         ,  howtomeasureanything.com,   c, o  m  .com  ,   .   ,      ,  ,      .




 


    ,       ;         ,    .

  (18791955),  

    ,       .   ,   -  ,    ,      .

  (18721970),    

 , ,  -   ,   , , ,   , , ,  ,   .   ,     -    ,           .

       ,   , ,  ,      ,   ,    ,    ..        ,      ,    .      ,          .

,       - :        ,        . ,  , :    ,         ,    .         ,         ,   .  ,     ,     .


 

         ,   .  ,        .        ,    ,                 ,  , .  ,   ,            ,      ,     .

          .  ,  ,   ,     .       (,   )    ,     ,      (..       ). ,     ,        , :  90%-  ,              1  8 .



 

           .


        ,           .        ,       .  ,    ,    1940-   ,  -  .  1948       A Mathematical Theory of Communication


 (  ),       ,  ,    ,      .

          ,       ,  .  ,        ,  ,   - ,          (..  ).          , ,   ,  ,       ,      .

       .   ,     (,     IT-     ),  ,    ,    .         .


  

,           ,      .           .   ,     ,   ,               .

          ,   ?                 .  ,    ,       1  5,   ,      ,   .        ,         .      ,       ,     .

 ,       ,    .       ,         ,  , ,    - . ,   -,     (,              ),          .             , :  15%-      ,   20%      ..

 ,           /   ,          .  1946        On the Theory of Scales and Measurement (   )


.       : , ,   .           ,         .         .     ,  6  2 ,  4 (6    6 .).      ,  6  50% ,  4,     ,  3. , 6       ,  3   (           ).   6 .   ,  3.         ,    .

      .        ,      ,        .    ,  ,        , ,     ,         .        ,    .  ,   , ,    .    ,   ,     ,       ,    ,     ,    .                   .

         ,          ,     .   ,      ,     . ,      ,    ,       .




  .


   .

   ,     (https://www.litres.ru/pages/biblio_book/?art=69302083)  .

      Visa, MasterCard, Maestro,    ,   ,     ,  PayPal, WebMoney, ., QIWI ,       .



notes








1


.: -, 2009.




2


. . .


