Machine learning and risk management are two big ideas being applied to cybersecurity in the enterprise today. In this blog, we discuss how one can support the other – specifically how machine learning can be used to improve risk management and why security professionals should consider doing so.
- Machine learning can make risk management more proactive
For risk management to truly be successful, it needs to correctly identify what could happen and how likely those events might happen. Based on those two items, risk-based decisions can be made. Machine learning methods have a long track record in showing they can be useful for prediction – and that those predictions are data-driven. We think that will become more demanded by boards in the future.
- Probabilities can be assigned to various outcomes
Understanding what will happen is only part of the equation – understanding how likely is a different problem. Probabilities are the universal language for communicating uncertainty – and so that is very important to risk management practices. Manual methods for risk management rely on human beings assigning probabilities. However, this opens the door to gaming results, not to mention the fact that scientific results have shown human biases make us do a very poor job of estimating probabilities. Machine learning offers a suite of data-driven methods to overcome this problem. Additionally, we can also look to take actions to reduce the probabilities for the most severe outcomes – a key goal for any risk management process.
- Improved quantification
The next building block after probabilities is something called expected value (“expected loss” in risk management is just one such expected value). This can be thought of as the probabilistic average of an outcome. For example, if we assume two scenarios – we get breached or we don’t – and the breach cost is $10 million dollars – the average breach cost for the two outcomes is $5 million dollars. However, if we assign probabilities to both scenarios we can get a more accurate reflection of expected costs – i.e. we’d get a $1 million dollar expected cost with a 10% chance of a breach. Expected values give a way to estimate costs in the average case and a target number to reduce. They also provide a basis for comparison. For example, if patching a certain vulnerability costs $50,000 and the expected loss due to not patching is $30,000, then perhaps we should attend to other priorities first.
Risk management is an important part of cybersecurity. That said, manual methods still dominate in most enterprises – which reduces their effectiveness due to human biases. Machine learning offers a compelling paradigm to overcome this difficulty.