Most security companies are big fans of the doom-and-gloom scenario of information security. However, when it comes down to brass tacks, security is nothing more than a business function — specifically, a business function of measuring and mitigating risk. The key motivator behind information security is the management of business risk, and regardless of whether that risk is financial or not, organizations mitigate vulnerabilities in the enterprise to reduce the threat to both reputation and customers.
There are many different tactics for measuring and evaluating information security risk, but the underlying formula is relatively simple, with a few variables. One of the most important is the overall financial impact of a breach, which can be a difficult calculation, depending on the company size, industry vertical and client base. Other factors — such as response costs, notification costs, damage to reputation and regulatory fines, to name a few — all must be taken into account when calculating the total impact. Furthermore, the impact of a breach must be weighed against the actual probability versus the possibility of a compromise.
It is important to understand the potential financial damage of a breach for your specific organization, because only then are you in a position to evaluate mitigation technologies and ensure that your security investments are actually worth the cost. There is no point in spending US$1,000 per year to insure your $500 painting from theft — but if you don’t understand the value of your painting in the first place, you may end up doing just that. Unfortunately, this is a common occurrence, because when it comes to information security in the enterprise, the overall risk, impact and cost never seem to be cut and dry.
Toward Informed Decision-Making
Fortunately, an information security risk assessment can serve as a solution to this problem. However, because there is no standard, there are many different methodologies used to perform security risk assessments as well as different definitions of what people equate security risk or risk assessments to — and it doesn’t help that “security assessment,” “risk assessment,” “penetration testing” and “vulnerability assessment” are commonly used interchangeably when, in fact, they are different.
At a high level, an information security risk assessment should analyze the probability of an event happening and the magnitude of loss from that event happening. The risk assessment should measure business impact, asset valuation and asset criticality, and should result in the ability to make informed business decisions based on defendable metrics.
On the other hand, an information security assessment, vulnerability assessment or penetration test — terms that are more appropriately interchangeable — identifies and analyzes pertinent attack vectors and identifies vulnerabilities within a target environment through portrayal of a particular type of threat community or malicious user.
The results from these more technical engagements are largely tactical, and while these types of efforts play a strong role in security risk assessments, they do not actually measure true risk. Yet they play a crucial role in an overall risk management program and can provide actionable data to be incorporated into the risk assessment effort.
No Magic Bullet
Another way of looking at the delta between an assessment of IT risk and vulnerability is that the risk assessment prioritizes the assets and potential impact to the environment to make informed business decisions regarding security investments and initiatives. The vulnerability assessment or testing of that environment ensures that the effectiveness of the controls put into place are working at the level that is assumed by the organization. That component also plays a critical role in ensuring security investments are worth the financial outlay.
However when it comes to trying to define the cost/benefit of any security investment, a “quantitative risk assessment” seems to be the magic bullet that everyone is looking for and generally, the quantitative factors need to equate to dollars and cents.
While this type of assessment doesn’t exist, it is possible to measure the qualitative values, which can include “high,” “medium” and “low” risk or criticality definitions, and build metrics to classify assets within those categories. Then, the ability to assign financial significance to those qualitative values plays a key role in making decisions about mitigating controls, technologies or processes. Once you have a quantitative value assigned, you can then start to weigh your cost-to-benefit ratio to ensure any investment you make in a new security product, tool or process control is sound.
Taken together and realistically assessed, the value and discovery of an organization’s assets and risks can be eye-opening to senior management. Once a risk assessment is completed, the next step is to conduct a gap analysis to ascertain where the company is exposed or lacks sufficient controls. From this, organizations can develop a framework and policies that serve as the foundation of the program, which should be audited, remediated for deficiencies, and finally, automated.
While it is easy to lay out these steps at such a high level, actually executing them poses a greater challenge. Most organizations do not have internal resources with experience in implementing a risk-based information security program, so most seek assistance from an external information security consulting firm.
Even though the path to a secure information environment may at times appear to be steep, it does exist — and the best way to start the ascent is to thoroughly understand the risks posed by standing still.
Jon Miller is director of Accuvant LABS.