Alex Hutton

About

Hi. This is my personal weblog. I also write at:

http://www.newschoolsecurity.com
http://securityblog.verizonbusiness.com

Twitter

    Following

    http://jonrobinson.tumblr.com/
    Designed by Josh. Powered by Tumblr.

    About loss

    Before we get into the meat of this post, we need to establish a common definition for the word “incident”. At least for the purposes of this posting we’ll consider “incident” to mean “loss event” (y’all can use whatever definition you like at any other time – it’s one of the things our profession is best at). In other words, something bad has happened that resulted directly in loss. It does not mean “someone violated policy by not choosing a strong password”.

    Poll position…
    With definition in hand I’d like to take a silent poll:

      * How many of you have worked for an organization that suffered a security incident of some kind? (I have, and I suspect most if not all of you have experienced viruses/worms, system or data abuse and/or theft by employees, web defacements, etc.)

      * In how many these incidents was there the potential for significant loss/harm to the organization? (In my experience, many of the incidents have had the potential for significant harm.)

      * How many of these incidents actually resulted in worst-case loss? (In my experience, none of them did – they didn’t even come close.)

    Okay, I’m going to go out on a limb and say that most if not all of you had the same answers I did – at least if you’re being honest (and my condolences to those who have encountered worst-case losses). In fact, if you plotted incident losses on a graph, you’d see the vast majority of incidents result in low to moderate loss, with almost no incidents resulting in worst-case outcomes. Yet as a profession all we seem to talk about is worst-case loss. “The cost of security is less than the cost of a breach.” Pardon me, but that’s bunk. A more accurate and useful statement is “The cost of security is less than the cost of a worst-case breach.” Subtle change in verbiage, but huge change in meaning. Shoot, if we built our cars to withstand worst-case collisions we’d all be driving tanks, and the mortgage payments and fuel costs for an M1 Abraham are, at least from where I sit, cost prohibitive (probably fun to drive though).

    Aligning planets
    If we really want to understand loss we have to ask ourselves WHY loss magnitude so often falls short of worst-case? What planets align to cut us a break? My recommendation is that IRM organizations ought to include loss analysis in their incident response post mortem process. Evaluate not only what losses were experienced, but also what losses might have been experienced and what the factors were that prevented worst-case outcomes. It can be a real eye-opener. Amongst other things, it can help us identify mitigation controls we hadn’t considered before and can help us do a better job of accurately representing risk to our employers.

    (via RiskAnalys.is)



    July 04, 2007, 7:59am   Comments