Part 1 here
Part 2 here
So if you can’t get 100% with a single control how do you get 100% or close to it?
I’ll use worms as the example because it is easy not because I think they are the most likely current threat.
If you can stop 80% of the worms with your companies external firewall.
Then stop 80% of the remaining worms with segmentation to your PCN.
Then stop 80% with a NIPS device
Then stop 80% of the remaining with a Host based firewall
Then 80% with patching
Then 80% with HIPS
Then 80% with Memory Based Protection
If you can get an 80% reduction with each layer then you have reached your .001% likelihood layer with 6 controls even if you had a 100% certainty of the threat event occurring to begin with.
So the trick is identifying the applicable controls, determining how they (and how much they) reduce the likelihood, and if they can be layered with outer controls.
This is why I have been so interested lately with the risk conversations at RiskAnalys and Episteme.
If we can identify a relationship with the units of risk to controls that would be very valuable.
Final Section Here