At the present time, I am working on my 6th book, which is all about testing Web applications both from the backend (which is typically the database and the server that it resides upon) and the front end (this is part that you see as the end user).
Currently, I am close to wrapping up the first chapter, which is all about the network security aspect (for example, securing the lines of communication from the end user to the Web application and vice versa).
The section that I was writing about last night was how one could potentially assess the risk of a Cyberattack from impacting the Web application in question. There many commonly used models, but you will have to wait until the book is published to find out what I have exactly written (and of course, I am hoping that you will purchase the actual book – LOL).
But we continue with this topic in today’s blog. Why, you may be asking? Well, it is a very essential part of creating any Security Policy and even Incident Response/Disaster Recovery plan for any SMB. As I just said, there are many risk assessment models out there – so what is a CIO or CISO to choose from?
Try this one – the Common Vulnerability Scoring System (CVSS) v3.0. This has been established and currently being used by the National Vulnerability Database (NVD).
This nice thing about this particular risk assessment models is that it is open sourced, meaning any business or corporation can adopt it quickly. provides an open framework for communicating the potential impacts of IT vulnerabilities.
This is a quantitative based approach, and several Key Performance Indicators (KPIs) and metrics are utilized to compute a numerical value that provides for an understanding of just how serious a Cyberattack can be.
These values are then broken down into five levels of risk which are as follows:
To illustrate the power of this risk assessment model, a Cybersecurity firm known as “eSentire” used it in their recent Q1 2019 Quarterly Threat Report. In this market research survey, 650 SMBs were surveyed, and only 8% of them experienced a level of Medium Risk or higher.
What does this mean? Well, it means that Cyberthreat that is faced by the average SMB owner is falling sharply, or they just simply have not experienced a Cyberattack quite just yet.
This makes sense – because after all, the Cyberattacker is much more after those targets that are high value and “prestigious” – such as those of the Fortune 500 companies. Here is a graphic illustration that summarizes the general findings of their report:
From the above graphic, one can see that the insurance, technology, and finance industries are the most prone to a Cyberattack, from a broad viewpoint. But it should be noted that those industries that offer a wide array of product and services are just as or equally more at risk to a Cyberthreat – simply because their attack surface is much broader.
A KPI that was used extensively is known as the “Average Weaponization Time”, or “AWT” for short. This metric reflects the time that lapses between the risk or a vulnerability is discovered and until it is completely mitigated. This can be seen in the below graphic as well:
As one can see, the time of discovery is getting quicker, and the response time to mitigate it is getting shorter – which simply means that the SMB is being a lot more proactive in keeping the Cyberattacker at bay.
My Thoughts On This
It seems quite interesting that the SMB is being on the alert much more so than their larger, Fortune 500 counterparts. I surmise that the SMB has a lot more to lose in the end – after all if they are hit by a Cyberattack, not only can it wipe them out financially, but the costs of a tarnished brand and lost customers are even greater.
After all, it can take months and even years to get new customers, and most importantly, to develop their trust into you, as the SMB owner.
But it can just take a matter of seconds to lose a customer (believe me, I am even talking from own experiences) and even longer to win them back and get newer ones as well. But the Fortune 500 – well, they have the ability to withstand a few blows now and then, because they have the financial resources as well as the assets to do so.
But remember, using a risk assessment model is just one part of your entire Cybersecurity arsenal. Although it provides good insight as to how much of a risk than an SMB is to a Cyberattack, it by no means should be used as the sole indicator to rely upon. In this regard, the use of Artificial Intelligence (AI) and Machine Learning (ML) tools can be of even greater help.
For example, once it is fed enough intel data into it, these tools can learn from them, and project what the future Cyberthreat landscape is like for an SMB. Best of all, it can do this in real time, as the many variables and factors are changing on an almost minute by minute basis.
Also, it can compute all of this in just a matter of seconds versus the time that it takes to manually compute your risk exposure using this model described in this blog.
Being an SMB owner, you may be thinking that using AI and ML tools are an expensive proposition to your IT budget, but the truth, many of them are now offered as a Cloud based service. Meaning, they are affordable (on a fixed, monthly price) and easy to deploy with just a few clicks of a mouse.
But, also keep in mind that in order to really discover the risks that you face, it is important that you conduct both Penetration Testing and Threat Hunting tests. After all, these will truly unearth even the unknown vulnerabilities and gaps that your Cyber based lines of defense could be exposed to as well.
Finally, more detail about both the risk assessment model detailed in this blog and the research report can be seen at the following links: