Basic Math for Risk Quantification
Basic Math Concepts of Risk Quantification
- Multiplication (grouping sequence)
- Frequency & Rates (from a word problem to Poisson input)
- Fractions to Percentages (1/3 or 30% of assets unpatched)
- Percent and decimal forms
- Working with word problems
Multiplication (grouping sequence)
Multiplication in the context of grouping sequences refers to the repeated addition of groups of equal size. This concept is fundamental to understanding quantification, where we multiply individual probabilities to find the likelihood of multiple events occurring together.
In cyber risk quantification, this applies when calculating the probability of multiple independent events happening simultaneously or in sequence. For example, the probability of a successful cyber-attack might depend on multiple factors.
Examples:
Basic multiplication as grouping:
3 × 4 can be thought of as 3 groups of 4:
(4 + 4 + 4) = 12
Applying to probability:
If the probability of a phishing email getting through filters is 0.2 (20%),
and the probability of an employee clicking on it is 0.1 (10%),
the joint probability of both events occurring is:
0.2 × 0.1 = 0.02 (2%)
Multiple factors in cyber risk:
Probability of:
Unpatched vulnerability: 0.3 (30%)
Attacker discovering the vulnerability: 0.2 (20%)
Successful exploit: 0.5 (50%)
The joint probability of a successful attack via this method:
0.3 × 0.2 × 0.5 = 0.03 (3%)
Visualizing grouping in cyber context:
If a company has 5 servers, each with 3 critical applications:
Total critical applications = 5 × 3 = 15
This can be visualized as 5 groups of 3.
Frequency & Rates
Explanation of Frequency & Rates:
Frequency and rates are important concepts in cyber risk quantification, especially when dealing with events that occur randomly over time. These concepts often lead to the use of the Poisson distribution, which models the number of events occurring in a fixed interval of time or space.
Key points:
- Frequency: The number of times an event occurs within a specific period.
- Rate: The average number of events per unit of time or space.
- Poisson distribution: A probability distribution that expresses the likelihood of a given number of events occurring in a fixed interval, assuming these events occur with a known average rate and independently of each other.
Moving from a Word Problem to Poisson Input:
- Identify the event of interest in the word problem.
- Determine the time period or space interval being considered.
- Calculate the average rate of occurrence.
- Use this rate as input to the Poisson distribution.
Example:
Word Problem: “A company experiences an average of 5 attempted cyber-attacks per week.”
Step-by-step process:
- Identify the event: Attempted cyber attacks
- Time period: One week
- Calculate the rate: 5 attacks per week
- Poisson input rate = 5 (this is our rate)
Fractions to Percentages
Explanation of Fractions to Percentages:
In cyber risk quantification, it’s often necessary to express parts of a whole as percentages. This is particularly useful when describing the proportion of assets or systems that have a certain characteristic or are in a particular state.
Key Concepts:
Fraction: A part of a whole, expressed as a ratio of two numbers (numerator/denominator).
Percentage: A proportion expressed as a part per hundred.
Conversion: To convert a fraction to a percentage, divide the numerator by the denominator and multiply by 100.
Converting Fractions to Percentages:
Step 1: Divide the numerator by the denominator.
Step 2: Multiply the result by 100.
Step 3: Add the % symbol.
Example 1: 1/3 of assets unpatched
1 ÷ 3 = 0.3333… (recurring decimal)
0.3333… × 100 = 33.33…
Result: 33.33% (often rounded to 33.3% or 33%)
This means that approximately 33.3% of the assets are unpatched.
Example 2: 30% of assets unpatched
In this case, we’re already given a percentage. It’s useful to understand how this relates to fractions: 30% can be written as 30/100, which can be reduced to 3/10.
Application in Cyber Risk Quantification:
“1/3 of our servers are running an outdated operating system.”
This translates to 33.3% of servers needing an update, helping prioritize resource allocation.
Vulnerability Assessment:
“30% of our applications have unpatched vulnerabilities.”
This directly tells us that 3 out of every 10 applications need attention.
Risk Calculation:
If 1/4 of systems are vulnerable (25%) and the probability of an attack is 1/5 (20%),
the overall risk could be calculated as: 25% × 20% = 5% or .25x.20=.05
Compliance Reporting:
“7/8 of our data is encrypted.” Do the math (7/8=.875), then multiply by 100 to move from decimal value to percentage, which converts to 87.5%, which might be reported as
“87.5% of data meets encryption standards.”
Incident Response:
“2/5 of incidents were resolved within the target time frame.”
This shows that 40% of incidents met the response time goal.
Let’s look at the math 2/5=.40 then multiply by 100 to convert decimal to percentage.
Using Percentages in Risk Communication:
Percentages are often more intuitive for non-technical stakeholders. For instance, saying “33% of our assets are at risk” is generally clearer than “1/3 of our assets are at risk,” especially when dealing with more complex fractions.
Percent and decimal forms
Explanation of Percent and Decimal Forms:
In cyber risk quantification, we often need to express probabilities, proportions, or rates in either percent or decimal form. Understanding how to use and convert between these forms is crucial for accurate risk calculations and clear communication.
Key Concepts:
Percent: Represents a number as a fraction of 100, denoted by the % symbol.
Decimal: Represents a number using the base-10 system, with digits to the right of the decimal point indicating fractions.
Converting Between Percent and Decimal Forms:
From Percent to Decimal:
Divide the percent by 100
Example 1: 75% → 75 ÷ 100 = 0.75
From Decimal to Percent:
Multiply the decimal by 100 and add the % symbol
Example 2: 0.35 → 0.35 × 100 = 35%
Applications in Cyber Risk Quantification:
Probability Expression:
Decimal: A 0.01 chance of a data breach
Percent: A 1% chance of a data breach
Risk Levels:
Decimal: 0.05 risk level for phishing attacks
Percent: 5% risk level for phishing attacks
Success Rates:
Decimal: 0.998 uptime for a critical system
Percent: 99.8% uptime for a critical system
Vulnerability Assessments:
Decimal: 0.22 of systems have critical vulnerabilities
Percent: 22% of systems have critical vulnerabilities
Compliance Metrics:
Decimal: 0.95 compliance rate with security policies
Percent: 95% compliance rate with security policies
Examples and Conversions:
“Our intrusion detection system has a 0.97 accuracy rate.”
Converted to percent: 0.97 × 100 = 97%
Interpretation: The system accurately detects threats 97% of the time.
“15% of our network traffic is unencrypted.”
Converted to decimal: 15 ÷ 100 = 0.15
Application: In risk calculations, you’d use 0.15 as the proportion of unencrypted traffic.
“The probability of a successful brute force attack is 0.0025.”
Converted to percent: 0.0025 × 100 = 0.25%
Communication: There’s a 0.25% chance of a successful brute force attack.
“We’ve achieved 99.99% uptime for our main server.”
Converted to decimal: 99.99 ÷ 100 = 0.9999
Analysis: This represents only 0.0001 (or 0.01%) downtime.
Choosing Between Percent and Decimal Forms:
Use percent for:
Communication with non-technical stakeholders
Expressing larger proportions (e.g., 65% rather than 0.65)
Compliance reporting and high-level risk assessments
Use decimal for:
Mathematical calculations and probability computations
Expressing very small probabilities (e.g., 0.0001 rather than 0.01%)
Input into risk models and statistical tools
Working with Word Problems
Explanation of Working with Word Problems:
Word problems are essential in cyber risk quantification as they represent real-world scenarios that security professionals must analyze and solve. These problems often require translating narrative descriptions into mathematical expressions and calculations.
Key Steps in Approaching Word Problems:
Read Carefully: Understand the scenario and identify key information.
Identify Known and Unknown Values: Determine what data is provided and what needs to be calculated.
Choose Appropriate Mathematical Concepts: Select the right formulas or methods based on the problem.
Set Up the Problem: Translate the word problem into mathematical expressions.
Solve: Perform the necessary calculations.
Interpret: Explain the result in the context of cyber risk.
Example Word Problem:
“A company experiences an average of 100 phishing attempts per month. Their current security measures block 95% of these attempts. Of the phishing emails that get through, employees click on 10% of them. What is the expected number of successful phishing attacks per year?”
Step-by-Step Solution:
Read Carefully:
100 phishing attempts per month
95% blocked
10% click rate on unblocked attempts
Identify Known and Unknown Values:
Known: Monthly attempts, block rate, click rate
Unknown: Annual successful attacks
Choose Appropriate Mathematical Concepts:
Percentages
Monthly to annual conversion
Set Up the Problem:
- Calculate unblocked attempts per month:
100 × (1 – 0.95) = 100 × 0.05 = 5 attempts get through
- Calculate successful attacks per month:
5 × 0.10 = 0.5 successful attacks per month
- Convert to annual rate:
0.5 × 12 months = 6 successful attacks per year
Solve:
The expected number of successful phishing attacks per year is 6.
Interpret:
Based on current security measures and employee behavior, the company can expect about 6 successful phishing attacks annually. This information can be used to assess the need for additional security training or improved email filtering.
More Tips for Word Problems in Cyber Risk Quantification:
Look for Key Terms:
Words like “probability,” “average,” “rate,” or “percentage” often indicate the type of calculation needed.
Draw Diagrams:
Visual representations can help clarify complex scenarios, especially for multi-step attacks or system dependencies.
Use Consistent Units:
Ensure all time periods (e.g., daily, monthly, annually) are consistent in your calculations.
Consider Interdependencies:
In complex scenarios, consider how different factors might influence each other.
Sensitivity Analysis:
After solving, consider how changes in input values might affect the outcome.
Round Appropriately:
In risk assessment, excessive precision can be misleading. Round to a reasonable number of decimal places.
Provide Context:
Always relate your numerical answer back to the original question and its implications for cybersecurity.
Example Application:
“If implementing a new security awareness program reduces the click rate on phishing emails from 10% to 5%, how many successful attacks would be prevented annually?”
Solution:
New monthly success rate: 5 × 0.05 = 0.25
New annual success rate: 0.25 × 12 = 3
Attacks prevented: 6 – 3 = 3
Interpretation: The new program would prevent 3 successful phishing attacks per year, halving the current risk.