Yes. Few security professionals doubt that our job is all about risk mitigation. But there tends to be sharp debate about whether you can measure risk. I think you can and should, but quantitative models don't work. I'll come back to "why you should" and "how you can" another time, but for now I want to discuss why the quantitative approach doesn't work.
The classic textbook quantitative risk calculation is Annualized Loss Expectancy:
So, you calculate your ALE and that's the maximum you should spend to mitigate that risk.
If the real world was that simple, we'd all use ALE to plan our security strategies. But ALE is fundamentally wrong for for information security. I'll concede that ALE can be useful as a simple conceptual model for risk because it requires us to think about both of the factors that generally influence risk: Likelihood and Impact. But literal use of ALE for information security decisions is problematic to say the least.
The problem with ALE is that the numbers we plug into that formula are so baseless that the resulting calculation has no credibility. We probably inherited this simple conceptual model at some point from the insurance industry, which is different from security management in at least two key ways:
How does one calculate the financial impact of a security breach? Here's a hint: the amount of money you paid for the server that was just compromised is wrong. There's a whole bunch of things that go into it... the cost of employees and consultants to restore order after the breach, the potential legal liability, the cost of business you may have lost when the system went down, the opportunity cost of things you couldn't do because you had to spend time and resources responding to the incident, and the impact of lost goodwill and reputation damage that you suffer in the market. All of these factors are either immeasurable or unpredictable, which makes them poor candidates for mathematical calculations.
How does one calculate the likelihood of a security breach? The spectrum of threats is too broad and too unpredictable to have any hope of doing this. If you were just hacked by an outsider, or fell victim to a disgruntled employee, or made a simple mistake and exposed a bunch of sensitive information on a website, chances are you never saw it coming, and sure couldn't have sat at your desk six months ago and said "there's a 20% chance that this will happen in the next year".
So, with ALE hopelessly wrong for information security, how can we argue in favor of risk-based security? The answer lies in qualitative models - stay tuned.
Cheers,
Bryan
The classic textbook quantitative risk calculation is Annualized Loss Expectancy:
ALE = (Impact of the event in $$) * (Number of times in a year the event will happen)
So, you calculate your ALE and that's the maximum you should spend to mitigate that risk.
If the real world was that simple, we'd all use ALE to plan our security strategies. But ALE is fundamentally wrong for for information security. I'll concede that ALE can be useful as a simple conceptual model for risk because it requires us to think about both of the factors that generally influence risk: Likelihood and Impact. But literal use of ALE for information security decisions is problematic to say the least.
The problem with ALE is that the numbers we plug into that formula are so baseless that the resulting calculation has no credibility. We probably inherited this simple conceptual model at some point from the insurance industry, which is different from security management in at least two key ways:
- They have statistics and actuarial models that predict the likelihood of certain events with reasonable numerical accuracy across a certain demographic - we don't
- They have a straightforward way of estimating the loss associated with those events with reasonable numerical accuracy - we don't
How does one calculate the financial impact of a security breach? Here's a hint: the amount of money you paid for the server that was just compromised is wrong. There's a whole bunch of things that go into it... the cost of employees and consultants to restore order after the breach, the potential legal liability, the cost of business you may have lost when the system went down, the opportunity cost of things you couldn't do because you had to spend time and resources responding to the incident, and the impact of lost goodwill and reputation damage that you suffer in the market. All of these factors are either immeasurable or unpredictable, which makes them poor candidates for mathematical calculations.
How does one calculate the likelihood of a security breach? The spectrum of threats is too broad and too unpredictable to have any hope of doing this. If you were just hacked by an outsider, or fell victim to a disgruntled employee, or made a simple mistake and exposed a bunch of sensitive information on a website, chances are you never saw it coming, and sure couldn't have sat at your desk six months ago and said "there's a 20% chance that this will happen in the next year".
So, with ALE hopelessly wrong for information security, how can we argue in favor of risk-based security? The answer lies in qualitative models - stay tuned.
Cheers,
Bryan
