Risk Analysis vs Security Controls
Security Controls Risk assessment is a flawed safeguard selection method. There is a tendency to confuse security risk assessment with business risk assessment. Taking a business risk is voluntary with the objective of a positive return on investment (ROI) with potential loss limited to the assets invested.
Security Controls Risk Management: A holistic management process that encompasses activities that lead to cost-effective security solutions to protect Information Systems. Risk Analysis: A process to determine a measurable expectancy of loss, expressed in terms of frequency over a given time, and the amount of potential loss to the identified assets. A subset of Risk Management. Asset: Any resource, item, information of value to an organization which, if compromised in some manner, would result in a loss. Loss: The undesirable product of a threat that has occurred, resulting in one or any combination of: delay, disclosure, destruction or modification. Threat: A person, thing or event that manifests itself as a potential danger to an asset. Safeguard: A protective countermeasure to one or more threats or vulnerabilities designed to reduce the likelihood or degree of loss of an asset.
Security Controls One of the major problems is that security risk assessment and the benefits of using the results of risk assessment cannot be measured in any sufficiently accurate to provable way. Security risk is difficult to manage since you don’t know and can’t control the often irrational people who cause the risk and their plans. You cannot measure manage what you cannot measure. These differences suggest that the negative objectives of reducing security risk and the methods of risk assessment are not sufficient to justify security expenditures in a rational way.
Security Controls Like many of our stakeholders, we have wrongly assumed that business risk and security risk are the same. They are fundamentally different. Therefore, the validity and success of business risk assessment does not prove that security risk assessment would be successful, and the failings of security assessment does not imply anything about business risk.
Differences Between Security and Business Risks Involuntary risk of unknown value cannot be avoided Explicit adversaries are not identifiable Adversaries are unknown ROI is negative, unknown, and not provable Positive benefit is absence of unknown possible loss Voluntary discretionary investment decision can be made Competitors are known Competitor’s are known Competitors normally follow ethical practices ROI is positive and can be easily demonstrated *SKRAM - Skills, Knowledge, Resources, Authority, and Motives Security Risk Business Risk
Differences Between Security and Business Risks Negative result is unlimited, unknown loss Risk assessment is not verifiable because results are obscure Amateurs perform risk assessment Limited resources are allocate to risk assessment Positive benefit is measurable profit Loss is limited to investment only Risk assessment is verifiable by obvious results Professional risk managers perform risk assessment Generous resources are allocated for risk assessment Security Risk Business Risk
Changing Objectives For the past 30 years, the objectives of information security has been to reduce risk by applying security controls. This objective has kept us tied to the flawed effort to perform security risk assessments. If the objective of adopting a security safeguard is to reduce a security risk, the expenditure for the safeguard can only be justified by demonstrating that the cost of the safeguard is lower than the cost of dealing with the possible negative consequences of failing to implement the safeguard.
Changing Objectives Today, with 30 years of security advances and loss experience, we have used more than 300 generally accepted safeguards. We have: – recorded loss experience, –identified vulnerabilities and treats, – developed and used safeguards, and – established due care and good practice in the process
Changing Objectives These efforts have been documented extensively in: –The Common Body of Knowledge –British Standard (BS 7799) –International Standards (ISO 17799) –CoBit –Generally Accepted System Security Principles (GASSP) –NIST Common Criteria –CERT
Changing Objectives In most cases, it is no longer necessary to conduct reviews and plan security budgets by repeating threat, vulnerability and risk analysis. The standards of due care have already been established. The only analysis needed is the evaluation of the threats and vulnerabilities related to the newest technologies and applications to find and devise safeguards that are not yet accepted as being due care.
Changing Objectives Given the existing knowledge base and experience, we should rely on due care and good practices for most of our needs to gain management support for security plans and help choose safeguards. By benchmarking the practices of other organizations and gathering information on the sales and evaluations of purchasable security products, we can measure the extent to which our safeguards reflect the strength of due care and good practices.
Changing Objectives When benchmarking, if you discover that four of your competitors have installed firewalls, no risk assessment is necessary to support a “good practices” conclusion. Good security management (not risk management) requires that you plan an overall structure and system architecture of your security infrastructure.
Controls Conclusion We should rely on due care and good practices and methods for selecting safeguards. BS 7799, ISO have 350 controls to choose from. Use benchmarking, peer communications, security product advertisements and evaluations and security product demonstrations in selecting safeguards.
Controls Conclusion If you take these steps, over time you can replace negative objectives of reducing risk with achieving business enablement, due care and good practices as the stated positive security objective.