Mastering Cyber Asset Sampling: Optimize Your Assessment Process

Show Notes

Cyber Asset Assessment: Understanding the Importance of Sampling

In this episode, I dive into the crucial step of sampling in cyber asset assessment. Learn why sampling is essential, especially when dealing with large environments and limited resources. Discover the various types of sampling methods, including probability and non-probability sampling, and understand how to statistically correlate your sample size to the total population of your cyber assets. Perfect for anyone looking to efficiently and effectively assess their organization's cyber assets.

00:00 Introduction to Cyber Asset Assessment
00:26 Understanding Sampling in Large Environments
01:23 Statistical Ties and Inference in Sampling
02:30 Why Sampling is Essential
03:12 Types of Sampling Methods
04:25 Implementing Non-Probability Sampling
05:32 Final Thoughts on Sampling

Transcript

Dr. B.: 0:02

Hey everyone, now that you have a list of cyber assets that you're gonna assess, now that you know what environment you're gonna assess that critically impact to the mission and vision of the organization. What's next? The next would be, let's start assessing. However, there's an interim step here that I just don't want to skip, and that will vary. And the reason I say is interim and also optional, depending on the size of your organization and even the size of the environment you're trying to assess, that is sampling. So check this out. So sometimes the environment is so large that you cannot do the entire. Set of assets that you have discovered or you're stuck between. You either have time, resources, or money, right? So you either have the people but don't have the money, but have the resources. So you have to pick two outta three, right? So that is a kind of situation that most of us find ourselves into. What is sampling? So sampling, what we're looking for, and the one I'm gonna discuss here with you is statistically tied to the entire population of cyber assets that you will assess. So there are formulas online and that even there are tools online can facilitate that for you. One, it's beyond the stock today, but it's not that difficult. You can find those and the reason being this why you need that is statistically tied to total number of assets that you will be assessing because you want avoid questions that says where you come up with this number, right? You pick out a thin air and no, there is a statistically correlation with everything that you're gonna assess. That's first. Second is that you're gonna start inferring from the total. So the results you find that simply you can infer that if that simply has the total population of your assets, the total number of your assets, also have that same thing, whatever that thing that finding is. So that is very important. So why even do sampling if you can do everything? First of all, already. Discuss, and I already alluded to is the fact that the environment is large enough and you lack the resources or time or even the money to do one. So in terms of money, of course, sampling cost effective. Also, the feasibility becomes much easier to do on a small set than a large set of assets in the timeline, of course. If you have all the time in the world, might as well do it. But none of us have that time, right? So you have to do and be efficient. So sampling comes right into it. So what kind of sampling should you do? Now that you understand what that formula is, you understand what number of assets that you need to assess now, which assets will you assess? So there are a few things that you can do. One is. Using probability sampling and a few things. A few of'em here is randomly selecting. One might work for you if it's a uniform environment. As a random sampling might work for you if you have an environment where certain devices are, have higher criticality in others. Some of them are more vulnerable than others. Let's say one is externally exposed basically in A DMZ, and the other one is internal. So one gonna have a higher priority and random sample might not get the asset you're looking for to assess. The other ones you can do is stratify sampling. That means putting in buckets, for example. These are assets, sir. Operating systems are databases, desired network device, or these are DMZ. These are in turn, depending the grouping you make'em, but my preferred method is non probability sampling. So it's non probabilistic, is that purpose sampling. So I understand the environment, understand the ones that I'm targeting to assess. I'll make sure that those at least are in my sampling. Plus, I. A lot more. And that makes much easier for you to focus on the critical error. The trouble systems, the one that, for example, you have a lot of standard exceptions that they cannot follow this, they cannot follow. That makes sure that is part of your purpose sampling when you do that. So now you have. The formula that you discover, the statistically tight number to the total population, total assets you have. When you have that number, then you're gonna do a sampling from those numbers. You'll pick a either up using probability or non probability, preferably. I use non-probability and I like to make sure that I do this purpose sampling. I can gather other asset, but I'll make sure the ones I'm paying attention to is in there. So I. This is the interim sort of step that you need to take. Depending on the size of your company. Maybe you don't have too many assets, you might as well just do the whole thing. But if you run into the problem of, wow, I have, 15,000 assets that I need to do an assessment, I need to do something. Is smaller in scale yet that represent everything that I'm trying to assess based on the people that I have here to do the assessment based on the time that have been provided to me and based on that$0 budget that is being provided to me to complete this assessment. So sampling is that interim step that you need to make that happen.