Working with SmartCustody Risk Assessment Framework
TLDR;
We considered little modification of the original SmartCustody Risk assessment example (here) to include various cryptocurrencies and locations of funds when defining Consequences of the interfaces and nodes depending on the amount and location user assets. The extended example is accessible via Google Spreadsheets but to be allowed to view and download the document, the user should pass through Lightning Network paywall.
Intro
SmartCustody is a convenient way to avoid biases when evaluating security of personal funds. The extended parts of the book written by Christopher Allen & Shannon Appelcline also give some insights about managing funds of clients. Generally, the suggested approach could be used for services and businesses. To develop one related to the service is the main aim of the author.
Portfolio, Location of Funds and Valuation of Assets
All changes of the standard SmartCustody example are related to Asset Characterization. On Step 1, Asset identification, the user must enumerate all assets at different places. For example:
• Bitcoin held at Coinbase
• Bitcoin held in cold storage
• Ethereum held in a paper wallet
Then, at Step 2 (Value Your Assets) all these assets, which become essentially one asset ‘Bitcoin’ must be valued from 1 to 10, for example:
1. Bitcoins at Coinbase [5]
2. Bitcoins in cold storage
a. Paper wallets stored in a file cabinet [10]
In the original methodology, asset value is a compound characteristic depending on the amount and location of funds. These values are being used later when assessing nodal vulnerabilities.
For building a complimentary and verifiable method for a portfolio security risk assessment, it is convenient to derive final values calculated at Step 2 from:
- asset portfolio fraction,
- allocation mount (Vault, Exchange, Hot Wallet, etc.)
- asset ‘importance’ (I won’t use here ‘value’ again).
The last asset ‘importance’ metric looks controversial because of asset portfolio fraction values implicitly allocation of funds with selected currency. But since portfolio and location coefficient is normalized, it is just okay to set ‘importance’ equal to 10 or lower as it was done in the original SmartCustody example.
Checking Against SmartCustody Example
Here we are demonstrating that the same results as in SmartCustody example could be obtained if Bitcoin fraction in the portfolio is set to 1. The same valuation [5] for Bitcoins at Coinbase could be achieved by both ways: adjusting final ‘importance’ or tuning location coefficient and ‘importance’ accordingly.
You can download SmartCustody model from Google Spreadsheet service and play with numbers and coefficients. You should make all additional charts for the whole portfolio by yourself in Libre Calc or MS Excel because Google Spreadsheet is not advanced enough to easily combine ‘Risk Assessment: Consequences’ and ‘Risk Assessment: Probabilities’ tables.
Orange points on the chart represent Fixed Risk Like and points of that line is calculated assuming generic risk formula from SmartCustody book.
To turn a vulnerability into a risk requires a simple formula:
risk = vulnerability consequence x vulnerability likelihood
An animated chart shows changing Fixed Risk Line from 50% to 40%.
Summary
Initially, I’ve tried to build a Python script for automated risk assessment and better charts. I failed because of the pretty custom workflow for every custody situation. It means the user must develop new Python-code for a unique situation when a new node(second exchange, mobile wallet, etc.) or interface is added to the system. In the same time, a risk model on the electronic spreadsheet could be addressed to the broader audience and could be easily reused and modified by the person with different skills.
The suggested model demonstrates only minor changes and helps to add very little improvements to the original SmartCustody example. Is allows to play with various parameters for better iterating over the whole scheme described in the book.
