Ever wonder why we keep reading about the rash of cyber-threats, incidents, and data losses occurring around the world?

Despite our best efforts – for some organizations – the problems persist and there appears little we can do in the face of the onslaught.

Part of the underlying problem is a lack of funding or a misunderstanding about why a larger budget for the information security program is warranted.

Is this something we can control or is it something beyond our control?

Well there are things that are in our control – and others that are outside of our control.

What we can’t control

Things we do not control – and that we need to come to terms with – include:

• Software fundamentally contains fatal weaknesses that cannot be controlled by formal systems
• Software is delivered to market as components by multiple vendors who are not paid to do security testing on the assemblages

What we can control

Things we do control – and that we can do something about – include:

• Easily exploited pathways that are wide-open to common interpreters and script-engines from the Internet into the enterprise
• People are by nature lazy and generally take the easiest-route to achieve their objectives
• We historically underspend on information security because we don’t believe it’s going to happen to us
• Our brains are wired to focus on what happened recently and as a result we miss the new patterns

We need to do a better job of communicating the reality of the threats facing our organizations. We tend to focus on the technology or the people using the technology, or both, instead of communicating the level of risk and the actions we want people to take. Rather than focus on “predicting” what the future will hold, we should borrow a page from the national weather service and use forecast cones that are used to warn people about hurricanes, tropical storms and other natural disasters.

Forecast cones

Like a hurricane or tropical storm, cyber-threats have a timeline to them, a range of territory they impact, and a range of possible outcomes. The real purpose of weather forecast cones is NOT to predict with exactitude what is going to happen (although the better the prediction the more people will pay attention) but is to WARN people about what’s coming, when, whether it’s likely to impact them, and what action they should be taking and when.

When was the last time a weather forecaster was fired for getting the forecast wrong?

If you said never, you’re right. But, what’s important to recognize is the purpose of the forecast cones.

The purpose of forecast cones is NOT to be right, but to provide a sensible warning for people to take action!

People are used to the vagaries of weather forecasting: storms are fickle, change paths, are complex and not predicted easily. And, we’ve yet to develop formal models that can be accurate – and timely enough – to account for all possible boundary conditions affecting the outcomes of storms. But we now do a much better job or warning people of what to expect and when, and what actions they should take to avoid disaster.

The same is true of cyberattacks and our need to start forecasting these with cones.

While the visual analogs of forecast cones (see the following Forecast cone) are better at this, verbal versions of these cones might be:

• there’s a 2% chance that 80% of our operations are going to be affected
• there’s an 80% chance that 60% of our most critical operations are going to be affected
• there’s a 10% chance we’re already breached and an 80% chance our reputation is at risk

And of course there are other ways to visually depict warnings and actions that will augment the use of cyberattack forecast cones. Your senior managers and board members already understand weather forecast cones, why not try them out for information security, compliance, risk and governance?

Forecast cones for cyberattacks will go a long way toward telling relevant decision-makers what the likelihood of disaster is and what actions should be taken. Unlike reams of data covering IDS logs, this kind of communication is more likely to result in improvement in value and risk adjusted budgets for security programs.

Let us know what your experience is.