ERE Information Security Auditors
Home | Site Map | Contact Us | Blog
This text is replaced by the Flash movie.
 Executive Strategies for Managing Risk
Audit Tactics for Managing Risk

Archive for February, 2010

Quantifying Risk and Cost of IT Security Compliance: Part 4

Wednesday, February 24th, 2010

This week’s blog is Part 4 of 5 parts of a series.

If you are in security no doubt you have been challenged by management about your security expenditures.  I have often heard executives say that they regret authorizing sufficiently large security budgets because they can’t tell if the expenses were worthwhile.  It’s a good point.  I’ll try to address it in this blog.

Measuring the Effectiveness of Mitigation

It is paramount to close the risk management loop by comparing planned and actual results of mitigation.

Goal is to clearly identify if risk level has changed and what consistent metrics will be used to base a conclusion. Once again, this may be difficult to accomplish directly, but there certainly are metrics for measuring and comparing the results of implementing mitigation. The metrics should always:

  1. Produce repeatable, consistent results.
  2. Be understandable.
  3. Be reasonably simple to use over time.

The following is a good starting list of metrics that can be used for consistently measuring and reporting on risk:

  1. Architectures for measuring risk – Enterprise Information Security Architecture (EISA) (8), (9)
    1. a. The U.S. Department of Defense (DoD) Architecture Framework (DoDAF). (10)
    2. Extended Enterprise Architecture Framework (E2AF) from the Institute For Enterprise Architecture Developments. (11)
    3. Federal Enterprise Architecture of the United States Government (FEA).  (12)
    4. Capgemini’s Integrated Architecture Framework. (13)
    5. NIH Enterprise Architecture Framework. (14)
    6. Open Security Architecture. (15)
    7. The Open Group Architecture Framework (TOGAF). (16)
    8. Zachman Framework(17)
    9. Control points from the COBIT framework.  (18)
    10. Vulnerability assessments.
    11. Penetration tests.
    12. Time trends in frequency of occurrence and the real costs of security events, privacy violations, and policy compliance violations.
    13. Time trends in cost to recover from events.
    14. Time trends in frequency of policy compliance violations that do not necessarily cause any financial losses, such as identifying Trojans, viruses, rootkits, unauthorized logins, attempted port scans, frequency of dropped packets, frequency of password lifecycle, breaches, and frequency of rescheduled / cancelled IT Security Governance meetings with business managers.

This part of the series may be a little dry.  In fact it is very dry.  But if you ever want to have a process done “by the book” many of my references will come in handy.  If you can take another “dry” blog, the next blog will cover the same subject but from a return on investment perspective.  I hope it will be helpful!

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security and Privacy Compliance Auditor

www.ere-security.ca

Tags: , , ,
Posted in Information Security | 2 Comments »

Quantifying Risk and Cost of IT Security Compliance: Part 3

Wednesday, February 17th, 2010

This week’s blog is Part 3 of 5 parts of a series.

I think that too often security people try to “fix” every security problem.  That is not realistic or required.  Many times, it is sufficient to just identify security risks and problems to management and get them to make a decision on how they want to deal with it.

But the operative phrase is “decision on how they want to deal with it.”

Calculating the Cost of Mitigation

Security professionals are well acquainted with determining the costs of mitigation.  Senior executives sometimes think they too are familiar with these costs, based upon ads they read about anti-virus and firewall technology.

The danger here is that it is too easy for all concerned to focus on technology as the primary mitigation for security and compliance.  It is well documented in standards published by industry experts such as NIST- 88 series (3), ISACA CoBIT (4),  PCI Security Standards – PCI (5),  and NERC – CIP 02 – 09 (6).

It is well advised to consider mitigation steps that include:

1. Re-engineering processes, both technological and people processes.

2. Policy – people and technology

3. Technical security.

4. Physical security.

5. People processes.

6. Training and awareness.

7. Third party auditing to verify the effectiveness of all the above.

From an IT Security Governance perspective the optimal cost point for mitigation is where the total costs of risk and mitigation are lowest.  This point can be graphically determined as in Exhibit 3 – Optimal Cost Point for Mitigation.

Exhibit 3 – Optimal Cost Point for Mitigation (3) This exhibit can’t be shown in the blog but you can see it in a whitepaper on the ERE web site www.ere-security.ca

Once mitigation costs are determined, it is important to express to the IT Security Governance committee that mitigation only goes so far, and that some residual risk remains even after spending on mitigation.  The residual risk can be expressed as the cost of risk that remains after mitigation is implemented.  As shown in Exhibit 4 – Mitigation Cost vs. Chance of Event Occurrence, expenditures on mitigation reduce the cost of exposure to risk.

Exhibit 4 – Mitigation Cost vs. % Chance of Event Occurrence This exhibit can’t be shown in the blog but you can see it in a whitepaper on the ERE web site www.ere-security.ca

The IT Security Governance Committee may decide to deal with residual risk by:

1. Accepting the risk.

2. Moving the risk (insurance).

3. Further mitigation.

Calculating Return on Security Investment (ROSI) (7)

Once the total cost of security mitigation is determined by including any costs for managing residual risk, then it is straightforward to calculate the return on security investment, as follows:

ROSI = cost of mitigation  /  cost of risk

When calculating ROSI it is important to allocate mitigation costs on a pro-rated basis across all costs of risk to which they apply.  In this way ROSI can be more accurately calculated and evaluated by each profit and loss manager and associated stakeholder.

The next blog will deal with figuring out if the cost of mitigation were worth it!

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security and Privacy Compliance Auditor

www.ere-security.ca

Tags: , , ,
Posted in Information Security | 4 Comments »

Quantifying Risk and Cost of IT Security Compliance: Part 2

Thursday, February 11th, 2010

This week’s blog is Part 2 of 5 parts of a series.

I know it is time consuming to do the analysis for building a business case.   I’ve seen the frustration on the faces of security types who present business cases for their budget and management gives them a rough time.

Hopefully these articles will be helpful.

The next logical step would be to associate an actual cost to each event. Various methods can be used either separately or together with the implementation of an averaging metric to estimate the cost per occurrence of an event.  These methods may include:

1. Soliciting expert advice from financial management, lawyers, and risk management consultants.

2. Conducting a straw poll of stakeholders, each estimating the downside cost of an event.

3. Participating in a fact gathering survey of similar businesses, each of which provides factual and straw poll estimates of the cost of an event.

4. Purchasing statistical information from industry experts regarding the cost of an event.

5. Obtaining statistical information from industry associations about the cost of an event experienced by their membership.

Using a similar methodology, the next step is to determine the likelihood of an event occurring.  The most useful ways of expressing likelihood is in % chance of an event occurring in any one year.

However, any likelihood estimate should also be adjusted to account for changes in security environment.  There are typically evolving waves of new threats that may affect likelihood of occurrence, such as these previous waves:

1. Viruses

2. Malware of all sorts

3. DDOS

4. Identity Theft

The likelihood estimate can then be used to:

1. Qualitatively express cost vs. likelihood as in Exhibit 1 – Potential Cost vs. % Probability of Occurrence.

2. Calculate the quantitative Annual Loss Expectancy.

Exhibit 1 – Potential Cost vs. Probability of Occurrence (1)

This exhibit can’t be shown in the blog but you can see it in a whitepaper on the ERE web site www.ere-security.ca

Obviously want to prioritize the mitigation steps to dealing with high risk / high cost situations first.

Annual Loss Expectancy (ALE) (2)

The step from qualitative to quantitative risk analysis logically occurs at this point, where the team evaluating risk triages the results of Exhibit 1 in order to decide upon those risks where they intend to focus.

The potential cost of those risks can be determined by calculating their Annual Loss Expectancy.  The annual loss expectancy is the annualized estimated cost for the occurrence of any type of event.  This number is useful for comparison with the annual cost of mitigation.  ALE for an event is calculated by multiplying the previously determined of the cost of the event and the chance of its occurrence.

Annual loss expectancy = cost of event x chance of occurrence

Next week I will discuss the ins and outs of calculating the cost of minimizing risk and how to present this to the executives.

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security and Privacy Compliance Auditor

www.ere-security.ca

Tags: , , ,
Posted in Information Security | No Comments »

Quantifying Risk and Cost of IT Security Compliance: Part 1

Thursday, February 4th, 2010

This week’s blog is Part 1 of 5 parts of a series.

Over the years many IT security professionals have told me about their challenges of getting the appropriately sized security budget approved.  In my opinion many senior executives believe that if they have not endured a serious security breach, then there simply are not any security risks.  That is my motivation for writing this series.

Executive Summary

IT security and security compliance are expensive to successfully achieve.  Now pile on privacy compliance and an array of regulatory compliance obligations and the costs skyrocket.

The key to getting the IT Security Governance committee to fund the appropriate compliance budget is to speak their language.

In order to do that, risks need to be expressed in terms of costs for executives.  Specifically costs need to be identified as: Potential cost of losses, mitigation costs, the total costs (potential cost of losses + mitigation costs) and residual costs.

In order to be clear and meaningful for the intended audience, the material should be presented graphically, presenting changes in both cost and risk over time.

This trending analysis is most useful for supporting the ability of the IT Security Governance committee to make well informed decisions on how to most effectively invest in security, thereby deriving optimal payback for stakeholders.

Identifying Risk and its Business Impact

The costs of risk associated with IT security / privacy and non compliance of regulatory / standards and the resulting negative impact on business can be broadly identified as follows:

1. Loss of revenue or production due to unavailability of production resource.

2. Time and effort to recover from a security related loss of production.

3. Legal.

4. Damage to brand.

5. Regulatory compliance violations.

6. Privacy compliance violations.

7. Damage to client and vendor relationships.

8. Loss of intellectual, competitive or proprietary information.

9. Un-captured profits resulting from inability to demonstrate to clients / vendors / partners a strong security process.

The cost of risk is the resulting impact on business that may be incurred should a risk become a reality or an event.  Determining the cost of a potential event is difficult at best.  However, it can be accomplished by employing one or more quantitative and qualitative methods, and should be undertaken by those most qualified to do so.

Those most qualified are unit profit and loss managers, stakeholders, and executives with insight into quantitatively how an event would affect their work domain.

The cost of various types of events can be viewed as categories of low, medium, and high cost.  This qualitative analysis is not useful in itself, but it may assist management on how to prioritize the order in which they will perform a more in depth risk analysis.

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security and Privacy Compliance Auditors

www.ere-security.ca

Tags: , , ,
Posted in Information Security | 7 Comments »
Home | Point in Time Audit | Doc Audit/Authorship | 7x24 Monitoring | Knowledge Transfer | ERE Differentiators | About Us | Site map | Contact Us | Blog
Copyrights © 2007-2008. All rights reserved.  Non-security resources 1|2|3|4|5|6|7|8|9

   AddThis Social Bookmark Button