How to optimize cybersecurity control decisions when supporting data is scarce

For many planning and decision making exercises under risk and uncertainty, we often need to populate evaluation models with numerous parameter values. These may be difficult to obtain within the constraints of our immediate time and financial budgets and operational realities such as:

1. Experiments are very difficult or costly to run in a timely manner.

2. The system depends on the complex interaction of a number of driving variables that are difficult if not impossible to isolate while still maintaining the integrity of the system under scrutiny.

3. Running experiments might present ethical constraints or barriers that could lead to irreversible harm to study subjects.

The Lens Model developed by Egon Brunswick and Kenneth Hammond provides a structured method to elicit parameters for descriptor variables in these situations from subject matter experts.

In this discussion, I present how we use the Lens Model to estimate the probability of experiencing a reportable ransomware event with an array of cybersecurity controls. This information can be used to optimize the chosen decision space for security controls. I also show how we identify the best SMEs using scoring tools that limit the effects of bias and noise. Of course, the process and tools presented can be applied generically to any complex systems analysis that are also subject to the methodological constraints described above.