1

This course material by Osama Salah is released under the

Conditions for use are published here:

2
Acknowledgement
• I would like to thank and acknowledge the following people for their
valuable contributions to this course material:
• Have your name and effort acknowledged here!!!

3
 FAIR Open Course

Module 4 – Data Gathering

4
FAIR Risk Analysis
• In the past model we have scoped and framed our risk analysis. In this
module we will focus on collecting the necessary data to feed into the
model.

5
The Scenario
• Analyze the risk associated with cyber criminals attacking our
campaign material repository using ransomware to encrypt the data
and locking out workstations.

Asset Threat Effect

6
Subject Matter Experts
• We need to assemble a team for the risk analysis.
• The SME’s can be selected considering:
1. Asset
2. Threat
3. Effect
4. Loss Types

7
Subject Matter Experts
• Asset
• Who is the asset owner? Data Owner? Data Custodian?
• The asset is used in which process? Who owns that process?
• Threat
• Who has insight into the threat community?
• Who might have dealt with them in past?
• Effect
• Who has the most interest in avoiding this particular effect?
• For example availability might be of interest to COO or BCM, confidentiality might be
of interest to legal advisors, privacy officers etc.
• Loss Types
8
Subject Matter Experts (LM)
• Loss Magnitude (i.e. Loss Types)
Loss Type SME
Productivity Business Continuity (BIA), Operations, HR
Replacement Asset owners
Response Incident Response Team, BCM
Competitive Advantage Corporate Strategy, R&D, Innovation Management
Reputation Public Relations, Marketing, Sales
Fines and Judgements Legal advisors, Regulatory Compliance Managers

9
Subject Matter Experts
• You can always invite additional SMEs as you work yourself through
the scenario and feel there are gaps that others can help address.
• When there are areas of high uncertainty, due to lack of insights from
SMEs, missing corporate capabilities (process, people or technology)
then these should be specifically documented. Hiding our uncertainty
serves no one.
• Talking openly about our uncertainty might lead to revelation of other
untapped data sources or management allocating resources to
address the uncertainty.

10
 Where do we start?
? Risk
?
Loss Event Loss
Frequency Magnitude

Threat Event Secondary

Secondary Secondary
Contact Probability of Threat
Difficulty Loss Event Loss
Frequency Action Capability
Frequency Magnitude

11
Where do we start?
• There is no fixed rule on whether to start with the frequency side or
loss magnitude side. There is no right or wrong answer.
• Starting with loss magnitude might sometimes be easier because you
typically have more insight into the loss estimates.
• Starting with the frequency side could be more useful to help you
understand the scenario better since it includes all the variables
(other than loss magnitude) that lead up to a loss event.

12
How deep do we go down the rabbit hole?
• We always prefer to stay on the higher levels as
long as we have sufficiently accurate estimates.
• Decomposing risk with even more inaccurate
estimates will result in inaccurate analysis.
• Nonetheless, it’s useful to review all the variables
to ensure our thinking matches the model.
• When thinking about the scenario use the model
for guidance. One major advantage of using a
good model, is that it can make us take notice of
something we were not previously considering.

13
Analysis Approaches
There are essentially two approaches to the analysis.
1. Open Brainstorming first, then mapping to the model
• This is similar to an open brainstorming session where all ideas are
collected and evaluated later for suitability for the analysis. This
approach is suitable if the building blocks of the scenario are
unfamiliar. For example in our case we will be talking about
ransomware and many might not fully understand what it is or have
misconceptions on what it is.
• This approach could use a mind map, white board, post-it notes…

14
Mind map Example

15
Analysis Approaches
2. Map to the model
In this approach we directly map our inputs to the model. Usually
participants are very familiar with the scenario and its components.
Even if you start with brainstorming you will then follow it with
mapping to the model.

16
Analysis Approaches
In either approach the beauty of using a model is that there is no
judgment, there is no right or wrong.
All participants are basically focused on finding the best sources of
data, the discussion is on the quality of data and how it fits the model.

17
Starting with Loss Event Frequency
• In this example we choose to start with the loss event frequency side.
• It is always good to start with a more general understanding of the
scenario. Look at the bigger picture then focus on the details.
• At the center of the scenario we have “Ransomware”.
• What do we know about Ransomware?

18
Ransomware
• Ransomware is a form of malware.
• Ransomware encrypts files and locks up computers.
• Once the ransom is paid (through cryptocurrency) the hacker promises to release
the decryption key.
• There is no guarantee that the decryption keys will be released or that they will
work.
• Sometimes the encryption is implemented badly and cyber security companies
offer free decryption keys. https://www.nomoreransom.org.
• We assume in this scenario that there is no free encryption available.
• Ransomware is typically opportunistic in nature i.e. the cyber criminals do not
specifically target companies.
19
Ransomware
• Infection happens similar to any other malware infection i.e. it is
initiated by the user i.e. by clicking on a malicious link, visiting a
malicious or compromised website or opening an email attachment.
• Ransomware controls are typical malware protection controls they
include:
• Technical controls such as antivirus and antispam solutions, backup
• Process controls such as incident response plans…
• Cyber Security “Hygiene” or system hardening: Disable macro scripts, patch
systems, least privilege and network segmentation
• End user training addressing phishing and social engineering

20
Paying the Ransom
• Paying the ransom is always an option victims have to consider.
• This turns out to be a rather difficult question. Tony Martin-Vegue wrote
a detailed article on that topic in the ISACA Journal (behind a paywall).
• Summary is available here:
• Decision Analysis of Ransomware Incidents
• Pay Or Not Pay A Ransom? It’s Not That Simple
• Full article here:
• The Downstream Effects of Cyberextortion
• In this scenario we assume the company refuses to pay the ransom.

21
Estimating Loss Event Frequency
• This is a question where we need to involve the right subject matter
experts.
• We can look at sources of information inside the organization and
reconcile that with information from outside the organization.
• When we elicit information we need to frame questions in plain and
straight forward business terminology. We are not going to ask “So
what is the threat event frequency in this scenario?”

22
Ransomware in the Organization
Loss Event Frequency
The questions in plain English would be:
• “How many ransomware loss events do
we expect to experience in the next 12
months”?
Or if we are trying to figure out if we have
historic data:
• “How many ransomware loss events
have we experienced in the last 12
months?”
23
Ransomware in the Organization
• Threat Event Frequency
The questions in plain English would be:
• How many ransomware incidents do we
expect to prevent from causing harm in
next 12 months?
Or if we are trying to figure out if we have
historic data:
• How many ransomware incidents were
prevented before they could cause harm
in the last 12 months?
24
Ransomware in the Organization
• We mentioned that ransomware is
typically opportunistic and triggered
by end user action, thus investigating
Contact Frequency (CF) and
Probability of Action (PoA) do not
appear to be that useful.
• In our case the contact type is • Random
assumed to be “Random” • Regular
• intentional

25
Assumptions so far
• We consider ransomware as a type of malware.
• Any malware infection could potentially have been a ransomware
infection. Or any malware bypassing our controls could have bypassed
ransomware. We are as vulnerable to ransomware as we are to malware
in general.
• Every ransomware loss event will encrypt files and lock the endpoint.
• The threat actor is opportunistic i.e. this is not a targeted attack, it’s a
random attack. Contact Type is “Random”. We are not saying that
ransomware could not be targeted, or that cyber criminals won’t increase
effort etc. once they have penetrated an organization and realize the
potential to expand and extort. We are just saying that in this scenario
SMEs feels they are a low profile organization and unlikely to be targeted.
26
Ransomware in the Organization
• We are vulnerable when controls fail
(or don’t exist) then TEF turns into LEF.
• Ransomware has to get through our
existing defenses/controls..
• If ransomware is a type of malware
then data on prevented malware (TEF)
and non-prevented malware (LEF)
could be used to derive vulnerability.
• Not all malware is ransomware, but can we get a source stating ratios
i.e. what percentage of malware if ransomware?
27
Ransomware in the Organization
Just a thought:
We assumed we will treat ransomware
the same as any other malware.
Another approach, could have to
research if there is data to help estimate
how many ransomware infections are
typically recorded compared to all other
malware infections.

28
Ransomware in the Organization
• The organization has last year recorded 15 malware infections
(ransomware and others). These required workstations to be re-
imaged.
• The organization has a total of 500 workstations and laptops.
• About 50 of those are critical for the operation. They all have access
to the same critical file repositories. Any of those machines infected
with ransomware would be capable to encrypt all files.
In hindsight
• 5 of those limiting
machines the analysis
were amongtothe
only
15the 50 machines
infected that are
machines inused in
the last

!
critical processes appears to be not accurate.
12 months.
For example even machines that are not critical will need to be
recovered/restored.
For now just go with it and in a future version I will refine the scenario. 29
Ransomware in the Organization
• OK, we collected some data through brainstorming and talking to
SMEs. But, what is useful and what isn’t?
• What do we map to the model?

30
 Ransomware in the Organization
• The organization has a total of 500 workstations and laptops.
• About 50 of those are critical for the operation. They all have access
to the same critical file repositories. Any of those machines infected
with ransomware would be capable to encrypt all files.
• The organization has last year recorded 15 malware infections
(ransomware
The company andworkstations,
has 500 others). Thesebut
required for care
we really workstations
only aboutto 50
be out
re- of
imaged.
the 500.
Since
• 5we reasoned
of those that this
machines is aamong
were random attack
the any machines
infected of these 50incritical
the last 12
months.
machines is as likely to be infected as any of the other 450.

31
 Ransomware in the Organization
• The organization has a total of 500 workstations and laptops.
15 malware infection (maybe useful?)
• About 50 of those are critical for the operation. They all have access
5 critical
to themachines infected
same critical last year (useful)
file repositories. Any  Loss Event
of those Frequency
machines infected
with ransomware would be capable to encrypt all files.
• The organization has last year recorded 15 malware infections
(ransomware and others). These required for workstations to be re-
imaged.
• 5 out of the 15 infected machines where critical machines.

32
Ransomware in the World
• What do we know about ransomware in the rest of the world?
• Do we know anything about it in our industry?
• We can basically start googeling “Ransomware” and see what we can find.
• We need to be careful and distinguish between reliable and unreliable
sources.
• Many sources are written by marketing departments with the main
intention to push their solutions.
• Many news sources exaggerate with news worthy headlines for the sake of
the clicks.
• Ensure the information is still relevant and not outdated.
33
External Data Sources
• The Verizon Data breach Investigations Report is always a good
source. It includes a large data set and is prepared by a very
professional team. It has been maintained over many years which also
supports trending and comparisons.
• Reports published by the Cyentia Institute are always an excellent
source. So are the third party reports they include in their library.
• Internet Security Threat Reports, State of Cyber Security Reports
published by vendors (typically quarterly and yearly)
• Ask friends or post to the FAIR Institute community asking for sources
others might have used.
34
Ransomware in the World
From the 2019 Verizon Data breach Investigations Report we learn:
• In terms of malware incidents Ransomware is #2 (28%) right after C2
malware (Command and Control) (47%).
• If our organization is not an outlier out of 100 malware incidents we
should be recording about 28 ransomware incidents.
• Be careful not to make any absolute inferences. Most data sources are
only used to inform our estimation.
• We haven’t found much useful information on Cyentia Institute
Website.

35
Ransomware in the World
• Microsoft Security Intelligence Report January – December 2018 mentions
that in 2018 “ransomware encounters” have dropped compared to 2017
(peak 0.11% in 2017, 0.03% in Dec. 2018)
• Not clear what exactly is an “encounter”.
• Trend seems to be dropping, but will downwards trend continue in 2019 and beyond?
• FireEye on the other hand says ”We saw an uptick in financially motivated
compromise such as ransomware and business email compromise…”
• Recorded Future says “While the number of ransomware variants continues
to expand rapidly, the truth is that most of these campaigns are ineffective
and die out quickly.”
• IBM says “However, more recently, criminals seem to use less ransomware…”
36
Ransomware in the World
• As we can see we have to be careful.
• Don’t fall for “Confirmation Bias” and stop researching after just a few
sources that appear to confirm our own intuition.
• Be clear on what data exactly the researchers base their opinion.
• Companies will typically base their reports on the data they have access
to which is limited to their service offering. This might be broad for
some and very limited to others.
• We can of course expand our research to more sources, but for now
we conclude that ransomware is generally dropping or at least not
increasing.
37
Estimating LEF
• The experts estimate the frequency of a machine getting infected
with ransomware during the next year as:

LEF
Min ML Max
2 3 5

• But in real life you will have several SMEs each making different
estimates that need to be reconciled.
38
Combining SME Opinions - Brainstorming
The simplest method is to bring all SMEs together, present all the
different estimates and agree not to leave the room until they all agree
on an estimate they can live with.
That could work if you have a good facilitator and there aren’t too
many outliers and people are willing to listen to each other and update
their estimates.

39
Combining SME Opinions - Averaging
• Combining SME estimates by averaging usually reduces
inconsistencies.
• The result is again three values that can be used as inputs in a
computational engine that expects input in the min, ml, max format.
Min ML Max
SME1 2 15 25
SME2 4 12 22
SME3 3 17 30
Average 3 14.6 25.6

40
Combining SME Opinions - Distributions
Another method could combine the
distributions and create a combined
distribution while given different weights
to different SMEs.
ModelRisk from Vose Software for example
offers a function “VoseCombined” that
does that.
But the result would be a new distribution https://www.vosesoftware.com/riskwiki/VoseCombined.php
and not 3 values for min,ml,max.

41
Loss Magnitude
• Let’s recall the different loss types and focus first on the primary
losses
Loss Type Primary Secondary
Loss Loss
Productivity ✭
Replacement ✭
Response ✭ ✭
Competitive Advantage ✭
Reputation ✭
Fines and Judgements ✭

42
Loss Magnitude
Productivity
So what would happen when a workstation is locked out and our data is
encrypted? How would that affect productivity?
• It might delay submission of deliverables to customers, but how does that
translate into a loss? Maybe penalties will have to be paid? Maybe customer
gets upset and it will affect future business?
• The user might sit idle doing nothing (although realistically there is always
something useful to do that might not need a workstation or access to files).
• Always start with broad data collection like:
• How much is the average employee paid (one of the employees using a ‘critical’
workstation)?
• How many projects do we typically handle in a year?
43
Loss Magnitude
• We must have some projects that are in early stages and we can
accept and deal with delay. We probably can catch up quickly after
recovery is finalized. How many of these would our customers be
accommodating and how many customers would just terminate the
contract?
• But, we probably have also some projects that are already at late
stages and on-time delivery is critical to the customer. Customer is
unlikely to terminate but there might be penalties for late delivery
(which might fit better under Fines and Judgements) or maybe it will
have a more serious impact on future business?

44
Loss Magnitude
• Projects Per Year: 10,15,30 (Min, ML, Max)
• Projects running at the same time: 5,10,15 (Min, ML, Max)

• To start making more sense we need to start figuring out what that
means in terms of probable loss magnitude.
• How do we get to define estimates for the LM?

45
Loss Magnitude – Replacement and Response
• We can turn again to SME’s and ask how much time and effort would
be required to recover 50 workstations.
• The IT Department estimates that they would need to procure and
install new hard drives and re-deploy the critical applications. They
estimate this to take between 3 to 5 days but most likely 4. (3,4,5)
• The cost of a hard drive is about $45 (x50 -> i.e. total cost $2250).
• The IT department would need some help but many non-IT staff
members are tech-savvy and would not mind to help installing the
drives. Worst case they would hire two support engineers for $800
per day i.e. ($2400,$3600,$4000)
46
Loss Magnitude
• How many workstations/users are in our scope? 50
• How many people are involved in the recovery? 1 – 2 people
• What is the salary of an employee?
• Yearly ($50K,$70K,100K) or
• Daily ($192,$270,$384)
• Days to recover 50 workstations? (6,8,10)
• Cost to recover 50 workstations? ($2400,$3600,$4000)
• Cost of Hard drive replacement? $2250
• How many contracts might we loose? (1/50, 1/30, 1/20)(2%,3%,5%)
• Profit from contracts? ($300K,$450K,$9800K)
47
Primary Losses
Loss Type Primary Loss

Productivity
(employee idle time)

48
Primary Losses
Loss Type Primary Loss

Productivity NA (will be addressed under secondary losses)

Response

49
Secondary Losses
Loss Type Secondary Loss
Response NA We are not expecting to having to
respond to the reactions of secondary
stakeholders.
Competitive NA There is no loss of competitive
Advantage advantage
Reputation $300K, $450K, $900K We suspect that some customers
might take some business elsewhere
due to a perceived bad reputation
Fines and Judgements NA We do not expect fines and
judgements i.e. law suits etc.

50