This topic may be a bit “heavy” for the Friday before a long holiday weekend. But, it struck me as something that we should all be thinking about and therefore here goes.
Cyber Attacks and security breaches or “Incidents” as we like to call them are becoming common place and therefore most Global 2000 organizations have teams of ESI security experts in place to attempt to “deal with” these issues and minimize the damage. And, no one is immune. As an example, Google was attacked last year in China (http://www.nytimes.com/2010/04/20/technology/20google.html) and as a result has had to rethink some of its policies. Even military organization such as NATO are concerned (http://www.guardian.co.uk/world/2010/may/17/nato-faces-cyber-attacks-study).
However, how many organizations really understand the value of the losses it incurs due to these attacks?
Believe it or not, there are some standards that are emerging to track this. (Ok, this is where the heavy stuff starts that may be too much for the Friday before a holiday weekend) As an example, some organizations are using the the Annualized Loss Expectancy (ALE) model to try and understand how much Cyber Attacks are costing them. And, other models such as Lindstrom’s Razor are also starting to emerge. The issue with any of these models is what due your track and where does the data come from.
A May 24, 2010 Blog post by Rich on the Secrosis Blog titled “FireStarter: The Only Value/Loss Metric That Matters” offers some interesting insight into what you should track.
Rich basically contends that “The losses predicted by a risk model before an incident should equal, within a reasonable tolerance, those experienced after an incident”
The second part of the issue is getting the data to plug into whichever model of approach you decided to take. And, in most cases, very few organization have the ability to track and/or capture this information.
One of the newest member of the eDiscovery Solutions Group (eDSG) Consortium appears to begin to address this issue with a new Incident Management Platform called IncMan. IncMan enable users to actually apply very detailed costs estimates to “Incidents” which then enables them to roll up the global costs / overall impact of these incidents. Over the next couple of weeks, we plan to release additional information on IncMan and the company will be scheduling several Webinars to show the industry how all of this works.
IncMan may or may not have all of the answers. However, it appears to be headed in the right direction and certainly begins to address some of the issues of measuring loss due to Cyber Attacks.
The full text of Rich’s Blog post is as follows:
As some of you know, I've always been pretty critical of quantitative risk frameworks for information security, especially the Annualized Loss Expectancy (ALE) model taught in most of the infosec books. It isn't that I think quantitative is bad, or that qualitative is always materially better, but I'm not a fan of funny math.
Let's take ALE. The key to the model is that your annual predicted losses are the losses from a single event, times the annual rate of occurrence. This works well for some areas, such as shrinkage and laptop losses, but is worthless for most of information security. Why? Because we don't have any way to measure the value of information assets.
Oh, sure, there are plenty of models out there that fake their way through this, but I've never seen one that is consistent, accurate, and measurable. The closest we get is Lindstrom's Razor, which states that the value of an asset is at least as great as the cost of the defenses you place around it. (I consider that an implied or assumed value, which may bear no correlation to the real value).
I'm really only asking for one thing out of a valuation/loss model:
The losses predicted by a risk model before an incident should equal, within a reasonable tolerance, those experienced after an incident.
In other words, if you state that X asset has $Y value, when you experience a breach or incident involving X, you should experience $Y + (response costs) losses. I added, "within a reasonable tolerance" since I don't think we need complete accuracy, but we should at least be in the ballpark. You'll notice this also means we need a framework, process, and metrics to accurately measure losses after an incident.
If someone comes into my home and steals my TV, I know how much it costs to replace it. If they take a work of art, maybe there's an insurance value or similar investment/replacement cost (likely based on what I paid for it). If they steal all my family photos? Priceless -- since they are impossible to replace and I can't put a dollar sign on their personal value. What if they come in and make a copy of my TV, but don't steal it? Er... Umm... Ugh.
I don't think this is an unreasonable position, but I have yet to see a risk framework with a value/loss model that meets this basic requirement for information assets.
No comments:
Post a Comment