I first started my learning journey with the intent of gaining enough knowledge of mathematics to understand the quantitative risk models I was encountering in my research. I just finished a Coursera course by DeepingLearning.AI called Calculus for Machine Learning and Data Science and realized that I had only scratched the surface of mathematical applications to cybersecurity.

Like many of you, I took calculus in college and thought it was the most boring and useless of all the advanced math classes I had to take. Linear Algebra? yeah I could I see how its useful. Calculus? what did that have to do with anything I care about? (Note: This before the AI craze when Blockchain was the new hotness).

However, this time around I was armed with years of experience and a problem to solve. As I went through the course material, it struck me just how important calculus is in our day-to-day as security engineers. Patching, Blast Radius, Ransomware: our heuristics behind all of these have a foundation in calculus.

In the part one, I’m going to dig into how derivatives are critically important to our understanding of risk and operations.

Derivatives

Simply put, derivatives are the measure of the slope of a function. Said another way, they measure the rate of change of a function. You might know the example of the first derivative, velocity. Velocity, measures the change in distance over change in time. What struck me immediately is that velocity matters greatly in cybersecurity. For example we care about the velocity of:

• Malware Infection

• Ransomware*

• Monetary losses due to an incident

• Patching

• Code changes

*A special callout to ransomware because velocity is one of the most critical variables in a successful attack.

Take a minute and think about things you would care to know the rate of change of in your environment.

Now, let's look at an example.

Monetary Losses due to an Incident

Cybersecurity events all have a function that describes the monetary loss. In this example we have 2 events represented by functions f(x) and g(x) where x is the number of hours of the incident.

Event 1: f(x) = 400x

Event 2: g(x) = 20x^2

Event 1, represented by f(x), can be described as an event costing $400 per hour.

Event 2 , represented by g(x), is where it gets interestin"g since costs exponential. Imagine a situation where you have a system that is critical for the productivity of your developers (i.e. Github, CICD infrastructure) and the cost of your developer time is $20 per hour. Every hour, 2 new developers need to use the system. This means, every hour 2 developers lose an hour, and in the next hour, those 2 same developers lose an additional hour plus 2 new developers lose an hour.

In the plot you can see that the costs of Event 1 increase at a steady rate and pose more loss under 20 hours than Event 2. This can lead you to think “Well, if I keep the incident under 20 hours then Event 1 will cost less than Event 2. I think this is reasonable so I’ll focus on mitigating Event 1”.

This type of thinking is dangerous. This is where calculus becomes extremely useful to us. Instead of framing losses in absolute terms, we can use derivatives to show how fast we lose money during an incident and how much those losses accelerate over time.

First, we can calculate how fast we lose money in each incident. Think of this as the velocity of losses. The first derivative can be used to get the change in losses over change in time.

*I won’t go into how to calculate the derivative in this post so you will have to take my word for the following calculations.

Derivative of Event 1: f`(x) = 400

Derivative of Event 2: g`(x) = 40x

In this case the Event 1 has a higher absolute loss on the surface, but after taking the derivative you can see that Event 2 has a significantly higher potential for loss and it is much clearer in the graph that it is more dangerous.

Next, we will see how the second derivative can be used to show how fast our losses accelerate.

2nd Derivative

While it is useful to know how fast something is changing, we may also want to know how fast the change is either increasing or decreasing. We can get the acceleration of a function by taking its second derivative. This will show us which event has a higher acceleration of losses over time.

Second Derivative of Event 1: f``(x) = 0

Second Derivative of Event 2: g``(x) = 40

This reveals why the threat represented by Event 2 is so much more dangerous. While the loss of Event 1 stays constant over time, Event 2 per hour losses will increase by $40 every hour. So not only do losses from Event 2 happen faster than Event 1, they are also increasing each hour. This makes the prospect of a long-lived event look even more dangerous than before..

Situations like these are why calculus is so useful to the security engineer. It allows us to think about problems above their face value and measure them in terms of their velocity and acceleration.

With these simple tools we can create models which allow us to gain better insight into scenarios we may face. I encourage everyone to gain at least a rudimentary understanding of these concepts and try to apply them to any problem you are currently facing.