What do you tell your CIO or CEO when you try to get additional\u2014or any\u2014breach control dollars into the IS budget?\u00a0 How do you position these controls to demonstrate business value?\u00a0 If you aren\u2019t talking in terms of business risk, you might be pounding harder on the table than necessary.Most seasoned security professionals know there is no way to completely protect a network and sensitive information from a highly motivated attacker.\u00a0 Rather, the goal is to reduce the risk of an attack.\u00a0 What is risk?Risk is represented in various ways.\u00a0 The one I prefer is Risk = Probability of Occurrence * Business Impact.\u00a0 In simple terms, probability of occurrence (PO) is an estimate of the probability of a successful attack against a specific target, typically expressed in terms of annual occurrence.\u00a0 I say specific target because PO varies from system to system or between data types.\u00a0 Business impact (BI) is the damage done to the business if an attack is successful.There are two approaches to plugging values into the PO and BI: quantitative and qualitative.\u00a0 Using the quantitative approach, an analyst uses actual statistics and dollar values.\u00a0 For example, probability of occurrence might be calculated by the number of successful attacks against similar systems or data across the industry in which the organization operates.\u00a0 So if the average number of successful attacks against a business in the target industry over the past 10 years is 5, the PO might be calculated as .5 (annual probability).\u00a0 The qualitative approach relies on experience of stakeholders and the analyst to arrive at estimated values.\u00a0 Qualitative risk scores are easier to calculate since actual statistics or dollar values associated with an attack don\u2019t have to be available\u2014and usually aren\u2019t.\u00a0 Further, they tend to give additional weight to attacker motivation and capabilities.\u00a0 So the rest of this article focuses on qualitative risk assessment.Calculating risk with qualitative measuresQualitative measures are usually expressed as a range of values based on information collected by the analyst.\u00a0 Here are some questions to ask when trying to determine PO for a specific target: What is the value of the data?\u00a0 How much effort will an attacker be willing to expend to get to the data? What exploits currently exist?\u00a0 What are the possible attack paths for an internal or an external attacker?\u00a0 What controls are in place to detect or block intrusion or extrusion activities along these paths? Are all hardware and software components along each attack path patched?\u00a0 Are they hardened in compliance with best practice or vendor recommendations?\u00a0 Are all unneeded services shut down and all ports either closed or managed via access control lists? What skills will an attacker need to successfully breach your defenses?\u00a0 Can an entry-level hacker crack your defenses or will it take an experienced black hat? In general, what vulnerabilities exist at each component in the attack path?Using attack trees as part of formal threat modeling is often valuable when trying to answer these questions.\u00a0 And remember, there can be more than one path from an attacker to a target.\u00a0 All paths must be assessed.\u00a0 Once the analyst understands weaknesses and strengths along attack paths, he or she works with relevant personnel (e.g., developers, network engineers, and system administrators) to assign a value representing the probability of a successful breach.\u00a0 The next step is assessing business impact.\u00a0 Again, this can be a value representing a point in a range between low impact and severe impact.\u00a0 It can also be a dollar value representing the impact of a single event.\u00a0 My white paper, A Practical Approach to Threat Modeling (PDF), contains a detailed discussion about how to arrive at these values with an expanded view of PO and BI.\u00a0 It also contains threat modeling toolsOnly management, with the analyst\u2019s assistance, can determine whether a risk score is too high.\u00a0 If a decision is made to reduce risk, the work done up to this point provides most of the information needed to reduce the organization\u2019s exposure.Mitigating riskRisk mitigation should focus on two things: strengthening of key vulnerabilities or reduction in the value of the target data.\u00a0 During the analysis phase, the analyst identified the possible paths to the target and weaknesses along that path.\u00a0 Using that information, here are some mitigation steps he or she should consider: Install all unapplied security patches? Revisit system hardening misses? Get rid of sensitive information the organization doesn\u2019t need and stop storing data from customers, patients, employees, etc. that isn\u2019t absolutely necessary for business operation?These three mitigation steps cost nothing but time.\u00a0 Once resolved, risk should be recalculated.\u00a0 If the score is still too high, the analyst proceeds to mitigation steps which typically require budget.\u00a0 The process might look something like this: Identify one or more controls for each attack path.\u00a0 These are typically associated with each software or hardware component on the path or placement of an additional control device, such as a firewall or network intrusion protection system. Assign a dollar amount to each control. Starting with the lowest-cost control in each path, determine if it alone will stop an attacker\u2019s progress toward the target.\u00a0 If the answer is yes in all cases, you\u2019ve identified the lowest cost risk mitigation budget. If one or more lowest-cost controls won\u2019t sufficiently reduce risk along a path, move to a next higher-cost control in the path and redo the analysis.\u00a0 Continue until all paths are protected in a reasonable and appropriate manner.Sometimes a combination of controls is necessary to secure a path.\u00a0 However, the analyst with business value in mind tries to mitigate risk while keeping costs as low as possible.\u00a0 Using diagrams which demonstrate this effort are very valuable when pitching the solutions to decision makers. The final wordRemember the objective of breach risk mitigation is to increase the effort necessary to successfully breach a network, system, etc. beyond the value gained by a successful attack.\u00a0 Most cyber-criminals are in it for the money.\u00a0 Make it more cost effective to go someplace else for their next breach attempt while minimizing your organization\u2019s costs for control acquisition and management.