Means – a method or way of doing something
“the crowbar was the means for breaking into the house”
Opportunity – the chance to perform an action or have an event occur
“the open garage door provided the opportunity for the burglar to enter the house”
At the end of the chain of threats, motives and means, lies the word where CISOs have the power to significantly measure and reduce their risk. At the end of the day, the CISO cannot do much to counter threats, motives or their means, however what they can do is address the opportunities that exist in their organization for these attacks to be successful.
An organization’s exposure to various means (its opportunities) defines its risks. What measures are taken to counter these means represent the roadmap for improving the risk exposure of the organization.
To provide an example – A criminal organization (threat) is targeting small businesses with ransomware (means) in order to extort money from them (motive). The risk that an organization faces to this threat depends on what opportunities they have provided to the attacker to be successful. Do they have malware defenses on their servers and endpoints? Have they instructed their users how to identify possibly malicious attachments or phishing emails that may provide an avenue for malware to be loaded on to their devices? Do they have automated backups for their endpoints and servers that they have tested to be effective?
As countless organizations large and small can attest, if these three measures had been in place before they were struck with ransomware, the impacts they would have suffered would have gone from catastrophic to minor, while the likelihood would have been reduced as well. Since Risk = Impact * Likelihood, another way of say this is that they would have gained a significant risk reduction through enabling these three simple measures.
For small and medium businesses, where technology funding and resources are likely to be tight, it is important to spend what funds are available wisely in order to maximize their risk reduction. A linked spreadsheet representing the Heuristic Security approach for reducing risk, by address the opportunities which enable the various means of attack, will be available shortly. For each means, the opportunities are phased from simplest to implement to more advanced, in a crawl-walk-run fashion.
All organizations, regardless of their size, should focus on implementing these controls in the order provided. For more mature organizations, this control levels provide a simple basis for measure the organizations overall level of security maturity.