Countermeasure Score {cms}

If you would like to stay in touch sign up for our Newletter below!


How do you Calculate your Countermeasure Score?

Countermeasures are specific actions we put in place to mitigate Threats, for example we might put in place a Firewall to stop unauthorised access to servers and data within our environment.

The Countermeasure Score is a measurement of the effectiveness of your countermeasures against a specific Threat, for example, if the Threat to your data is a Virus, and this Virus is recognised by your Anti-Virus application, the effectiveness of for your Anti-Virus product would be high, and hence your Countermeasure Score would be high, for this specific threat.

When measuring your Countermeasure Score at an Enterprise level you will need to take in to account the effectiveness of all of your IT controls to mitigate the risk of the different attack vectors used by the bad guys to compromise your environment.

Countermeasure Score always start with a base score of one.

Countermeasure = 1

The reason for this is that to access your organisational data the bad guys already need to get pass natural countermeasures, for example, they need to have a computer connected to the same network as you or physical access to your servers, they likely need specialist knowledge and they need the motivation to compromise your environment. People don’t just walk past your building and the sensitive data falls in to their lap, there is a natural countermeasure that requires some specialist tools, access and or motivation to compromise your data.

The challenge with calculating your overall countermeasure score is that we do not always know what attack vectors the bad guys are going to use, and as the bad guys discover their current attack vectors are inefficient they will likely adapt and develop new ways to attack our organisation. So how do we measure the effectiveness of countermeasures when we do not fully understand what the current Threat is?

Your best defence? We implement Information Technology Security best practice, Defence in Depth.

Defence in Depth

Defence in Depth, in the context of IT Security, is the implementation of multi-layered or redundant levels of security controls that allows us to “fall back” or “retreat”, to a secondary layer of security if the first layer is breached.

The deployment of a Defence in Depth strategy is standard operating procedure in environments where it is assumed that a single strong defensive line would eventually be breached by multiple attempted incursions by the bad guy, such as the constant probing of your network by hackers on the web.

The strategy allows for a frontline defence failure, by ensuring the incursion is stopped at the next line of defence, therefore buying time to shore up defences and responding by implementing more countermeasures or eliminating the weakness identified in the frontline defences.

The goal is not to stop all breaches, as this is unlikely to be possible in an environment connected to the web where the bad guys are constantly adapting new methods to penetrate your network, but to slow the breach down thereby allowing an effective response to be formulated and implemented.

The Defence in Depth strategy is the correct response to the IT Risk problem, however we need to define what those defence layers are, based on what has previously proven effective to attacks.

Fortunately there has already been significant time invested by third party experts, in determining the correct defences to deploy in the Enterprise IT environment to minimise risks.

IT security Frameworks

There are numerous IT Security frameworks defined across the globe, the most popular ones being:

Center for Internet Security (CIS) benchmarks

ISO27001 a standard for an Information Security Management System

Payment Card Industry Data Security Standard (PCI DSS)

National Institute of Standards and Technology (NIST)

Security Policy Framework (SPF)

SANS - 20 Critical Security Controls

Each of these frameworks has a number of recommended IT controls to implement to be compliant to the standard. As a simple rule you can calculate your Enterprise Countermeasure Score by counting the total number of controls you have in place.

For example, the SANS Twenty Critical Security Controls, consist of the following recommended IT controls:

1. Inventory of Authorized and Unauthorized Devices

2. Inventory of Authorized and Unauthorized Software

3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

4. Continuous Vulnerability Assessment and Remediation

5. Malware Defenses

6. Application Software Security

7. Wireless Device Control

8. Data Recovery Capability (validated manually)

9. Security Skills Assessment and Appropriate Training to Fill Gaps (validated manually)

10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

11. Limitation and Control of Network Ports, Protocols, and Services

12. Controlled Use of Administrative Privileges

13. Boundary Defense

14. Maintenance, Monitoring, and Analysis of Security Audit Logs

15. Controlled Access Based on the Need to Know

16. Account Monitoring and Control

17. Data Loss Prevention

18. Incident Response Capability (validated manually)

19. Secure Network Engineering (validated manually)

20. Penetration Tests and Red Team Exercises (validated manually)

For each one of these controls that you have in place you get a +1, to your countermeasure total. If you have all of these controls in place your countermeasure score would be 21.

Countermeasure Score = 1(base) + 20 (All SANS implemented controls)

This is a simple and quick way to calculate your Countermeasure Score, but a more effective way might be to adjust the weightings of each control to be more representative of its effectiveness to mitigate current Attack Vectors. IT Risk Expert, Trevor Kennedy, maintains a current Risk Matrix for all of the above stated IT Frameworks, so it is worth requesting the latest version.

For our example, we now know our Asset Valuations, Our Threat Ratio, and our Countermeasure Score. We can plug these values in to the current version of our Risk formula to calculate our current Risk profile:

RISK = (100%{t} / 21{cms}) * $10,000,000{VaR}

RISK = $467,190

The Residual Risk in this example is circa $467k, if this is below your Risk Appetite you have achieved your goal Risk Profile. If this figure is above your Risk Appetite you will continue to improve your Countermeasure effectiveness by investing in extra countermeasures or making the existing technology more effective.

If you could invest, say, $100k, to improve your countermeasure effectiveness score from the current 21 to 32, you would end up with the following formula:

RISK = (100%{t} / 32{cms}) * $10,000,000{VaR}

RISK = $312,500

Clearly this would be something your organisation should do, because by investing $100k in extra IT controls, you were able to reduce your Residual Risk by a total of approximately $155k, this a Return on your Investment of 55%.

However, we have not yet completed the formula. As with any system, IT Control implementations will have weaknesses in the system, for example, you might rollout SANS Control #5, Malware Defences, which improves your Countermeasure Score, but this control relies on ensuring that your Malware Definition database is kept up to date so that it can detect the current Malware/Virus Signatures. If you do not keep these Definitions up-to-date you have Vulnerability within your IT Control System.

| IT Risk Management | IT Risk Measurement | IT Risk Formula | IT Risk Calculations |

Please read our "Terms" before making a comment.

blog comments powered by Disqus
To The Top