Virginia builds new model for quantifying cybersecurity risk
A shortage of resources amid an uptick in ransomware attacks has prompted Virginia technology officials to develop a unique model for evaluating IT security threats and prioritizing their defenses.
The new model, officials said, allows them to define cybersecurity risks in exact dollar amount, shifting away from a system in which policymakers relied on anecdotal information and estimates when allocating resources to the most sensitive government functions.
Jon Smith, the Virginia Information Technologies Agency’s risk-management director, said the new model, which is an adaptation of several leading standards for quantifying risk, is already being used to rethink how VITA provides its services to more than 60 other agencies across the commonwealth.
“Part of our oversight is making sure we’re making good investments and cyber enhancements,” Smith said. “And for the cyber liability insurance we should be carrying, without a dollar sign, it’s really challenging.”
More accurate predictions
One standard for security assets commonly adopted by states, from the National Institute of Standards and Technology, adheres to a three-tier structure, ranking each potential vulnerability as having a high, medium or low impact, which Smith said is not precise enough for effective cybersecurity budgeting.
Virginia’s model, rather, begins with a modified version of the “factor analysis of information risk,” or FAIR, model, which estimates the probability and magnitude of potential data breaches. Virginia’s model also uses the Center for Internet Security’s list of 20 security controls and resources, Verizon’s annual Data Breach Investigations Report and research from the Ponemon Institute to calculate state records’ risk values.
“Health care records usually cost X amount of dollars and in another sector where it’s retail or your personally identifiable information or something like that, it would cost another Y amount of dollars,” Smith said.
By figuring this research into the state’s model and tweaking how each of its security controls are weighted, officials said they’ve arrived at what they believe is a more accurate prediction of what it would cost the state in the event of various system breaches. The type of record and number of potential users that would be affected in a given breach are of particular importance, they said.
John Craft, Virginia’s deputy chief information security officer, said the model has already been used to adjust the amount of liability the state holds on its cybersecurity insurance policies — raising it in some cases and lowering it in others.
“We’re not basing risk on external factors,” Craft said. “We’re doing this based on fundamental controls, whether it’s a ransomware attack or something else, it doesn’t matter, the risk model factors in the number of records and controls.”
To test the accuracy of the model, officials compared the outcomes of past data breaches from around the country that had known variables — such as the number and type of records affected and the eventual financial cost to the institution — against the predictions of their own model.
“When we do the comparison, we find that we’re pretty close. This has been pretty accurate for us,” said Mark Martens, a senior risk analyst at VITA.
A unique environment
But Smith said the model is still somewhat “immature” and will require additional data from agencies to continue honing its accuracy. In fact, it’s data supplied by state agencies that made the model possible in the first place. The necessity of that data also accounts for why such risk models, though clearly in demand among government agencies with more threats than they can afford to defend against, aren’t prevalent among state governments.
“Between our risk and compliance tool set and analysts and centralized information security office and audit services, we have visibility into the agencies that other states don’t have,” Craft said. “There’s only a few other states with a similar model to us.”
Georgia and Texas have IT models similar to that employed in Virginia, wherein a centralized technology department acts as a broker of services to other agencies using different vendors contracted for each function. Craft said that structure — combined with an executive order requiring agencies to hand over their risk data — ensured the new model would function.
Smith said work on the model began just a few months ago, following a call from Virginia Secretary of Administration Keyanna Conner for a more quantitative approach to the state’s cybersecurity.
“That really puts the fire under the kettle, so to speak, to get us moving,” Smith said. “If we have a big data breach or ransomware incident, it could potentially impact the commonwealth’s bond rating.”
Martens said the Center for Internet Security praised the state’s quick development of the new risk model.
“They were really surprised by how far we made it and they were scratching their heads over it,” Martens said. “It’s because we had a lot of the tools in place and we had all the protocols for our systems already.”
‘They have a lot of data’
Although VITA is leading the project and requiring agencies hand over their data, something agencies are often hesitant to do, Smith said it’s not conducting these analyses “in a bubble.”
“We have a risk management committee that has risk information security officers from several of the agencies and they’re also helping to build input and feedback from their organizations on how this will work,” Smith said. “One that is really big is our Department of Motor Vehicles. They have a lot of data, a lot of records that helped us understand the really big organizations and fine tune the model.”
So far, only VITA employees working on the new risk model are privy to its results, though Smith said the agency will start publishing those results for other agencies in early 2020.
“Once we start publishing these risk scores, we expect that we’ll have interactions with the agencies because they may not agree with the assessments,” he said.
But that’s a good thing, in Smith’s estimation, as he predicted that any disagreements will encourage agencies to provide more information that will continue to improve the accuracy of the state’s risk model.
