CyberVaR 360™

Cyber Risk in Dollars, Not Colors

Assessing the Risk and Impact of Phishing Attacks: A Step-by-Step Framework for Using Quantitative and Causal Methods

Posted by

Tim Layton

·

,

Phishing attacks pose a significant threat to organizations, leading to financial losses, data breaches, and reputational damage. Accurately assessing the risk and impact of phishing attacks is crucial for developing effective cybersecurity strategies.

In this article, I introduce a framework for developing quantitative and causal methods specifically tailored to real-world cybersecurity risk analysis scenarios. While this topic is vast enough to warrant an entire book, my goal here is to equip you with the foundational knowledge needed to get started effectively. By understanding these basics, you can begin applying these methods to enhance your cybersecurity strategies.

I share weekly insights on quantifying cyber risk in dollars, not colors — including Monte Carlo simulation, loss exceedance modeling, Cyber Value at Risk (VaR), and NIST CSF quantification. If you’re an executive, CISO, or security leader looking for practical, data-driven approaches to cyber risk, let’s connect on LinkedIn.

Connect With Me on LinkedIn

Summary of Phishing Attacks in the 2024 Verizon DBIR Report

The 2024 Verizon Data Breach Investigations Report (DBIR) highlights several key trends and findings regarding phishing attacks and their impact on organizations.

Prevalence and Tactics: Phishing remains one of the top methods used by cybercriminals to breach organizations. It accounted for approximately 73% of social engineering attacks, showing a significant increase in sophistication and frequency compared to previous years. This underscores the continued reliance of threat actors on phishing as a primary vector for initial access.

Human Element: The human element is a critical factor in many breaches, with 68% involving some form of human interaction, such as falling victim to phishing attacks. This highlights the importance of ongoing security awareness and training programs to mitigate the risk posed by phishing.

Financial Impact: The financial repercussions of phishing attacks can be severe. The report notes that the median time for users to click on a phishing email link is 21 seconds, with data entry following within another 28 seconds. This rapid engagement underscores the need for quick detection and response mechanisms to mitigate potential damage.

Response and Reporting: There has been a positive trend in the reporting of phishing attempts during security awareness exercises. In 2023, 20% of users reported phishing attempts during simulations, and 11% of those who clicked on a phishing email also reported it. Despite these improvements, the speed at which users fall for phishing emails remains a significant challenge.

Insider Threats: Insider threats, including those involving phishing attacks, continue to be a concern. However, there has been a noted decrease in collusion between internal and external actors, which is a positive development in the fight against insider-driven breaches.

Vulnerability Exploitation: The report also emphasizes the growing trend of exploiting vulnerabilities in conjunction with phishing and other extortion tactics. This combination of tactics makes it crucial for organizations to maintain up-to-date patching and robust vulnerability management programs.

For more detailed insights, you can access the full 2024 Verizon DBIR report.

In this article, I provide a step-by-step framwork combining quantitative and causal methods to assess phishing risks comprehensively.

I share weekly insights on quantifying cyber risk in dollars, not colors — including Monte Carlo simulation, loss exceedance modeling, Cyber Value at Risk (VaR), and NIST CSF quantification. If you’re an executive, CISO, or security leader looking for practical, data-driven approaches to cyber risk, let’s connect on LinkedIn.

Connect With Me on LinkedIn

Step 1: Define the Scope and Objectives

Before starting the assessment, clearly define the scope and objectives. Identify the specific aspects of phishing risk you want to assess, such as the likelihood of successful attacks, the financial impact, and the effectiveness of mitigation strategies.

Step 2: Identify Key Variables

Identify the key variables that influence the risk and impact of phishing attacks. Your organization likely has access to this type of information so it should be considerable relaible. These may include:

  • Volume of Phishing Emails Received: The number of phishing emails targeting the organization.
  • Email Filtering Effectiveness: The percentage of phishing emails successfully blocked by the organization’s email filtering systems.
  • Employee Training Levels: The effectiveness of employee training programs in recognizing and avoiding phishing attempts.
  • Response Rate to Phishing Emails: The percentage of employees who fall for phishing attempts.
  • Financial Impact per Successful Attack: The average financial loss resulting from a successful phishing attack. Note: If your organization does not have a history of losses related to phishing attacks, refer to reliable industry reports such as the DBIR to establish a benchmarch for your organizations industry. Other reports such as the Cyentia IRIS Report are also good sources as well.

Identifying key variables is essential for developing more advanced Bayesian Networks in cybersecurity risk analysis. By determining the most relevant factors influencing phishing risks—such as the volume of phishing emails, the effectiveness of email filtering, employee training levels, response rates to phishing emails, and financial impact per successful attack—these variables can be represented as nodes in the network. This is beyond the scope of this article, but I do have other articles about Bayesian Networks and associated Python programs on the website that you can review.

Establishing the causal relationships between these variables allows for the creation of a comprehensive model that accurately reflects the dynamics of phishing threats. Conditional Probability Tables (CPTs) quantify these relationships, ensuring the model is grounded in empirical data and expert judgment.

This approach enhances the network’s ability to perform inference and scenario analysis, making it a powerful tool for predicting and mitigating cybersecurity risks. By continuously updating the network with new data, organizations can maintain an up-to-date and effective risk management strategy.

In my next article, I will describe how to create a Bayesian Network using the steps used in this article.

I share weekly insights on quantifying cyber risk in dollars, not colors — including Monte Carlo simulation, loss exceedance modeling, Cyber Value at Risk (VaR), and NIST CSF quantification. If you’re an executive, CISO, or security leader looking for practical, data-driven approaches to cyber risk, let’s connect on LinkedIn.

Connect With Me on LinkedIn

Step 3: Collect Data

Gather historical data on each identified variable from both internal and external sources. This may include:

  • Internal Sources: IT security logs, employee training records, incident reports, and financial records.
  • External Sources: Industry reports on phishing trends, threat intelligence feeds, and benchmarking data from similar organizations. I previously mentioned the DBIR and Cyentia IRIS reports as noted above.

Step 4: Develop a Probabilistic Risk Model

Use quantitative methods to develop a probabilistic risk model that estimates the likelihood and financial impact of phishing attacks.

Step 4.1: Model Probabilities

  1. Volume of Phishing Emails Received: Model this variable using a Poisson distribution, which is suitable for count data.
  2. Email Filtering Effectiveness: Model this variable using a beta distribution, which is suitable for probabilities.
  3. Response Rate to Phishing Emails: Also model this variable using a beta distribution.
  4. Financial Impact per Successful Attack: Model this variable using a normal or log-normal distribution, depending on the data’s characteristics.

You will need to have a background and training in statistics in order to understand and apply the distributions I note above. You don’t need a degree in statistics to understand and apply distributions in the context I have noted above.

I have a dedicated page where I have examples to help illustrate how to use and write python code for these distributions.

Step 4.2: Run Monte Carlo Simulations

Use Monte Carlo simulations to generate thousands of possible outcomes based on the probability distributions of the identified variables. This involves:

  1. Random Sampling: Randomly sample values for each variable from their respective distributions.
  2. Simulate Outcomes: Combine these sampled values to simulate the overall risk and impact of phishing attacks.
  3. Aggregate Results: Aggregate the simulation results to create a probabilistic distribution of potential losses.

Monte Carlo Simulations can easily be developed in Microsoft Excel. If you don’t have the knkowledge or background to do this, I recommend reading Doug Hubbard’s book “How To Measure Anything in Cybersecurity, 2nd Edition”. I also have written articles here on the website showing how I use Python instead of Excel.

Step 4.3: Analyze Results

Analyze the simulation results to determine the likelihood of different levels of financial impact. For example, you might find that there is a 10% chance of incurring losses exceeding $1 million and a 1% chance of losses exceeding $5 million.

Step 5: Develop a Causal Model

Use causal modeling techniques to understand the relationships between different variables and the risk of successful phishing attacks.

Step 5.1: Define Causal Hypotheses

Formulate hypotheses about how the identified variables interact. For example:

  • Better employee training reduces the response rate to phishing emails.
  • More effective email filtering decreases the volume of phishing emails that reach employees.

Step 5.2: Build a Causal Model

Use Bayesian networks or structural equation modeling to represent the causal relationships between variables. This involves:

  1. Define Nodes: Each variable is represented as a node in the network.
  2. Define Edges: Draw edges between nodes to represent causal relationships, assigning probabilities or coefficients based on the data.

Step 5.3: Validate the Model

Test the causal model’s predictions against actual outcomes to ensure its accuracy. Adjust the model as necessary to improve its predictive power.

Step 6: Integrate Quantitative and Causal Models

Combine the insights from both models to create a comprehensive risk assessment.

Step 6.1: Simulate Interventions

Use the causal model to simulate the impact of potential interventions. For example, assess how improving employee training or enhancing email filtering might reduce the overall risk of successful phishing attacks.

Step 6.2: Quantify Impact of Interventions

Quantify the potential reduction in financial impact using the probabilistic model. For example, if the causal model predicts a 50% reduction in the response rate to phishing emails, use the probabilistic model to estimate the corresponding decrease in potential losses.

Step 7: Develop Risk Mitigation Strategies

Based on the integrated assessment, develop targeted risk mitigation strategies. These may include:

  • Enhancing Employee Training: Implement regular, high-quality training programs to improve employees’ ability to recognize and avoid phishing attempts.
  • Upgrading Email Filtering Systems: Invest in advanced email filtering technologies to reduce the number of phishing emails that reach employees.
  • Implementing Multi-Factor Authentication (MFA): Use MFA to add an additional layer of security, reducing the impact of compromised credentials.

Step 8: Monitor and Review

Continuously monitor the effectiveness of implemented strategies and review the risk assessment periodically. Update the models with new data and insights to ensure ongoing accuracy and relevance.

Conclusion

Combining quantitative and causal methods provides a robust framework for assessing the risk and impact of phishing attacks. By integrating probabilistic risk assessment with causal modeling, organizations can gain a comprehensive understanding of their vulnerabilities and develop effective, data-driven strategies to mitigate cyber risks. This approach enables organizations to make informed decisions, prioritize resources efficiently, and enhance their overall cybersecurity posture.

I share weekly insights on quantifying cyber risk in dollars, not colors — including Monte Carlo simulation, loss exceedance modeling, Cyber Value at Risk (VaR), and NIST CSF quantification. If you’re an executive, CISO, or security leader looking for practical, data-driven approaches to cyber risk, let’s connect on LinkedIn.

Connect With Me on LinkedIn

About Tim Layton

Tim Layton is a respected authority in cybersecurity and cyber risk quantification, with over two and a half decades of experience at some of the world’s leading organizations. He seamlessly integrates technical expertise with strategic business insights and leadership, making him a trusted guide in navigating the complexities of modern cybersecurity.

Tim specializes in using Bayesian statistics and Python to quantify and manage cyber risks. His deep understanding of probabilistic models and data-driven decision-making allows him to assess and quantify cyber threats with precision, offering organizations actionable insights into potential loss scenarios and risk mitigation strategies.

    Discover more from CyberVaR 360™

    Subscribe now to keep reading and get access to the full archive.

    Continue reading