← All Problems

Chapter 2

Fitzwilliam Darcy Quantifies a Vendor Risk

Fitzwilliam Darcy, Director of Risk Management at Derbyshire Holdings, has just inherited oversight of the company's third-party HVAC contractor, Pemberley Climate Services. Pemberley's technicians plug their laptops directly into the corporate network when servicing chillers in the data center — a practice that survived an acquisition five years ago and was never re-evaluated.

The asset Darcy is most worried about is the customer payment database, valued at $4,000,000. Based on Pemberley's poor patching record and recent breaches at peer firms, Darcy estimates that a Pemberley-originated compromise would destroy roughly 25% of that asset's value, and that such an incident is plausible once every five years.

Darcy is presenting to the board next month. The CEO, Mr. Bingley, wants three things: a defensible dollar figure for annual exposure, a clear classification of the threat actor profile (so legal can decide whether to involve law enforcement preemptively), and a recommended treatment strategy. Darcy also plans to map Pemberley's likely intrusion path against an industry framework, and to argue for a continuous-monitoring tool rather than the current annual questionnaire.

Fill in each blank to complete Darcy's board memo, then click Submit.

Given the asset value and exposure factor, the Single Loss Expectancy (SLE) for a Pemberley-driven breach of the payment database is . With an annualized rate of occurrence of 0.2, the Annualized Loss Expectancy (ALE) is .

Because Pemberley itself is unlikely to be the attacker — but is the path an attacker would use — Darcy classifies this as a risk. The most likely adversary profile, motivated by financial gain and possessing moderate but not nation-state-level resources, is the .

To map the likely intrusion (initial access via the contractor laptop, then lateral movement to the database), Darcy will present the scenario using the framework, which catalogs adversary tactics and techniques observed in the wild.

Given that the ALE exceeds the cost of network segmentation but the residual risk is still non-zero, Darcy recommends a strategy — segment Pemberley onto an isolated VLAN and require jump-host access. To replace the static annual questionnaire with continuous visibility into Pemberley's security posture, Darcy will propose adopting a platform.