The New York Stock Exchange meltdown last Thursday gives a whole new meaning to “security vulnerability.”  Imagine that supposedly technical errors in a transaction processing system could cascade into a disaster that affected literally the entire world.

According to the article in the Washington Post by Zachary Goldfarb and Jia Lynn Yang, the Exchange officials are quoted as saying the reason for the meltdown was “…probably caused by technical problems and could take weeks or months given the millions of trades being examined.”  To see the article in full please visit www.ere-security.ca RSS feed May 10, 2010 or http://www.washingtonpost.com/wp-dyn/content/article/2010/05/07/AR2010050705087.html?sid=ST2010050705108

In my opinion, no matter what the New York Stock Exchange officials deem to be the perceived causes of the meltdown, two basic security practices need to be implemented in order to mitigate the chance of a repeat performance.

The first suggestion is really just plain common sense.  Since it appears the Exchange is susceptible to anomalous transactions, where the requested sell price of an instrument is unreasonably below the current sell price, security policy needs to be implemented and enforced to have such transaction requests investigated by human beings prior to execution.

This type of inspection falls well within the realm of standard security practices for complex transaction processing systems, or for that matter, even the simplest web based on-line purchasing systems.  In both the realms of the simple and the complex, it is customary to check data being input for “sanity” or for being credible.

The second suggestion is that anyone who is capable of entering requests for transactions into the Exchange transaction processing system, such as stock broker representatives, should undergo a regular background security appraisal for susceptibility to being induced to enter sell orders which are not deemed as credible.

Again this is Security 101, and organizations who deal with sensitive or critical data understand the need to do background checks on employees, both during the hiring process and periodically thereafter. Organizations with expertise in Information Security, such as ISACA, www.isaca.org, incorporate background checking into their cornerstone security policy document, COBIT.  More information about COBIT may be found at www.isaca.org/cobit .

The Washington Post article goes on to explain the possible causation of last Thursday’s problem that caused the Exchange to temporarily drop by nearly1000 points in less than one hour, as “Computer programs designed to make lightning-fast decisions, based on complex mathematical rules, or algorithms, about what to buy and sell made massive trades without human input.” and “… electronic trading hubs had inconsistent rules about when to stop a sudden plunge in stock prices.”

While the debate continues about whether or not stock exchanges should slow down or interfere with automated trading, the root cause of the problem will still continue to exist:  invalid sell requests.   Automated trading may cause the observed cascade effect, but is not a root cause of the problem.

Indeed it would be productive for the Exchange to also address the second problem of resolving rule inconsistencies relating to automated trading.  Again, ensuring software rules are consistent and compatible is a basic IT Security, whether designing rules for transaction processing systems or for firewalls.

While rule consistency is a laudable goal, it still will not address the root cause of the unnecessary plunge problem.

This plunge problem makes me think of an inverse “Terminator” situation.  In the Terminator technology, “had malicious intent towards humanity”.  I can imagine the NYSE transaction technology thinking…… “These guys want me to do what?”

Have a secure week.

Ron Lepofsky, CISSP, B.A. SC. (mechanical engineering)

www.ere-security.ca

Am I reading an oxymoron in this title?  Or what!

In a recent article in CNET news, Elinor Mills investigates potential new security vulnerabilities by adding smart metering onto our legacy North American electricity distribution architecture.

First of all North America has not fully implemented a smart electricity architecture or “Grid”.  A smart grid would not have allowed the type of cascading meltdown that occurred in August 2003, and as far as I know that grid has not been sufficiently modified as to be considered ubiquitously smart.  Has anyone got a different perspective on the status of the grid upgrade?  For a look at this article please click to: http://www.ere-security.ca/index.php , RSS feed, April 9, 2010.

The issue with adding smart meters with IP addresses does not compromise the security of the rest of the smart grid, in my humble opinion.  This would be more of an issue if many key devices on the grid had IP addresses and were managed accordingly.  But again, a smart IP grid is not there yet.

The CNET article goes on to explore the possibility of the smart meter’s being compromised and the countermeasures being implemented by various vendors.  I’ve even read some articles identifying concerns that smart meters are possibly an entry point into a household’s network for hacking purposes.  This sounds like dark magic to me, especially if the smart meter is in no way connected to the household’s network.  The bottom line, I believe, is that smart meters in and of themselves do not present a security threat or a vulnerability to the grid.

However…….

Opening the control technology used by electrical distribution networks to a wider network certainly does pose a plethora of threats to the control technology and, therefore,  to the entire control network.

The electrical distribution industry has standardized on SCADA control technology, and SCADA networks are sacrosanct.  They control and monitor actual electrical equipment, and errors can result in death, damage to equipment, and power outages.  So opening a SCADA control network to encompass smart meters expands access points exponentially.  For more information please see http://www.ere-security.ca/SCADA_CIP.html

The problem then becomes securing the vastly greater scope of network against all the usual security suspects.  The utility industry relies on a security standard called NERC CIP  http://www.ere-security.ca/NERC_CIP_Compliance_Audit.html

In our experience as security and NERC CIP compliance auditors, we’ve seen nightmare scenarios regarding the unauthorized access  vulnerabilities just on SCADA networks.  I don’t want to give anybody any ideas, so I’m not going to be any more specific here.   But you get the idea.  If it is difficult as is to keep SCADA networks secure, imagine expanding the scope of access to the network by hundreds of thousands of locations.

My idea is that a smart grid is one with superbly controlled access and authentication.  Access and authentication controls of course are composed of: logical controls, physical security, and people behavior.  So some smart meters are the least of the worries for ensuring the availability and dependability of a smart grid.

Have a secure week.

Regards, Ron Lepofsky, CISSP

President,

ERE Information Security and Compliance Auditors

www.ere-security.ca

The article is compelling but the message should not be news to any computer user today.  I’m not sure why anybody would be surprised that private information is stolen on the Internet after vast amounts of publicity on Identity Theft and about cyber-fraud.

So the important question is: Are you vulnerable to cyber –spying or to identity theft?

With regard to cyber-spying, the obvious question is: do you have any sensitive defense or political information worth stealing?  If the answer is “no” then we can all assume you are not being targeted by a spy-ring.

With regard to identity theft and cyber-fraud, some important questions about your computer are:

Do you update your anti-virus and anti-malware software daily?

Do you patch your operating system as soon as important security patches are available?

Do you patch your web browser with security patches as soon as they are available?

Do you avoid updating software tools such as Adobe Acrobat until the updates have been proven to not introduce security vulnerabilities?

Do you run a sweep of your computer work station with an anti-virus and anti-malware tool once a week?

Do you run a web site safety evaluation tool?

If the answer is “no” to any of the above, you probably have security weaknesses.  If you answer “no” to more than one question, you definitely want to consider improving your security procedures.

What about the answers to these questions about your cyber-behavior:

Do you open emails from sources you do not recognize?

Do you open attachments from friendly sources, without screening the attachment for malware prior to opening?

Do you visit unfamiliar web sites without first validating their safety?

Do you post on blogs or social networking sites any personal information including photographs?

Do you provide your home phone number to strangers?

Do you identify the names of your family members to strangers?

If you answer “yes” to any of these questions, you are probably jeopardizing the security and privacy of information on your workstation.   If you answer “yes” to any of the last three questions, you may be putting your family members or yourself in harm’s way.

What about your cyber-housekeeping habits, such as:

Do you regularly change the password to your workstation?

Do you have a strong password for your workstation?

Do you encrypt personal information and passwords?

Do you leave unencrypted personal or sensitive information on external media?

Do you dispose of used disks and computer technology without destroying the media and memory hardware?

Do you dispose of scanner and photocopier technology without destroying the media and memory hardware?

Answering “yes” to any of the above, as you’ve already figured out, is not good for your cyber-health.

So the big question is: Do you want to greatly improve your personal cyber-security?  If yes, by now you probably have a few new specific action items to execute.

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security Auditors

www.ere-security.ca

The Better Business Bureau released a bulletin warning the public to be wary of bogus offers, such as:

• Claims you can become a tester or researcher and get an iPad for free.
• Requesting product testers for the iPad. The email points to a website Testitandkeepit.com which claims they are looking for people to test the iPad for a couple months, as compensation you get to keep the iPad. The biggest red flag with this offer is you have to provide your email address and password in order to “tell your friends.”
• Researchers Wanted-Get an iPad Early and Keep it” was designed to trick people into signing up for a cell phone subscription service that cost $10 a month.

The sad part about this scenario is that Internet users still need to be warned about email fraud.  By Internet users I refer to both the unsophisticated and the well educated who should know better.  If you don’t know better, for more information about the BBB bulletin, please see the related article on the ERE RSS news feed at www.ere-security.ca.

Isn’t it ironic that potential purchasers of leading edge technology like the iPad would also be susceptible to low brow high tech fraud?

We all know better than to open spam and to be very prudent when opening emails from unknown sources.  This, of course, is email security policy 101.  Everyone should know better than to divulge any passwords.  While we are on the subject relating to the iPad scam, everyone should remember to:

• Never use the same password for your computer logon, email, social networking ATM.
• Change your passwords at least once per year.  I know this is painful.
• Never “loan” your password to anyone.  Ever.
• Always check the digital certificate on an e-commerce transaction site.  You can do this by looking at the RSS certificate and then researching the certificate provider.
• Think before going to a web site offering something for free.  Perhaps get a tool that attempts to triage sites by risk.  This sound hypocritical, but I found an excellent “free” tool at Mcafee at  http://www.siteadvisor.com/

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security and Privacy Compliance Auditors

www.ere-security.ca

“High- tech copy machines a gold mine for data thieves” was as story printed on March 18, 2010 in the Toronto Star, which should give pause to every one of us.  That is, everybody who uses a smart photocopier or who provides access to one for others.

You may think this is overreaction, but is it?

By smart photocopier, I mean one with a computer inside that provides all the great features.  The computer also has a disk, which indiscriminately retains images of sensitive and personal images like tax returns (social insurance numbers), job applications, and legal documents.

It also unwittingly retains images of critical information like executive summaries about corporate plans, new business strategies, and unpublished quarterly financial reports.

So everybody using a smart photocopier really needs to give some thought as to the consequences of their confidential material falling into the hands of those who would benefit from its unauthorized use for personal gain.  How could this happen? you think.  Well, lots of ways.

Someone such as a photocopier service person could simply copy the disk data.   Or someone with unauthorized access  to the machine at night.  If the copier has a data access port, anyone familiar with the data communications capabilities of the data port could walk by with their smart phone and download the data.

Twenty years ago I remember watching a news documentary describing a similar but lower tech use of photocopiers to steal sensitive and critical information.  Apparently during the cold war spies would insert a camera into a photocopier destined for the opposition’s embassy.  Then the “copier tech” would surreptitiously remove the film from the hidden camera in the photocopier and, of course,  replace it with more unused film.

So, without becoming paranoid about photocopiers, how can you get them to do you bidding with confidence that your sensitive and critical information will not fall into the hands of others?

Some simple things you can do are:

1. Always do your own photocopying whenever possible.

2. If you must use a copy service, then keep your eyes on your original documents and all copies of them, just as diligently as you would keep eye contact with your credit /debit card during a purchasing transaction.

3. Don’t use smart photocopiers unless you are sure of the security policy by which they are managed.

As the custodian of a smart photocopier, ensure your telecommunications and security people have configured it to:

a. Configure it to communicate only as mandated by your corporate security policy.

b. Implement an ongoing process to regularly scrub (rather than just “deleted”).

c. Implement an ongoing process to monitor the event logs of the copier and alert on suspicious activity such as unauthorized attempts to connect it to a telecommunications network, unauthorized attempts to communicate with its data port in order to upload data, and unauthorized attempts to open or tamper with the machine.

Prior to sending the copier off premises for service or for disposal, ensure the disk is either removed and destroyed or that data is scrubbed and destroyed completely.  Otherwise, you could end up with the same consequences as confidential data on a used and resold computer work station or laptop being retrieved by its new owner.

Of course we all know that there are dumb users even for smart photocopiers.  How many times have we all found original documents left by some previous users of the copy machine?  So it’s probably a good practice to count your original documents before and after using a photocopier.

Have a secure week.

Ron Lepofsky, B.A.SC. (Mech Eng), CISSP

President

ERE Information Security Auditors

www.ere-security.ca

www.ere-security.com

You may not have heard of the IT security team called ROSI; it stands for return on security investment.  It’s really the same as ROI but it helps to convey to executives that a business case is being build according to best security practices.

Determining if ROSI Objectives are Met

Tires meet the road when it is time to determine whether or not ROSI objectives for security / policy / compliance have been met.  Conveying this determination is essential to building (or destroying) credibility of the group who made the mitigation recommendations in the first place.

Determining ROSI is quite simple. The actual costs resulting from events are compared with the projected costs after mitigation.  If mitigation was successful, then the actual costs should be near or below the projected costs.  This information can be presented as an updated version of Exhibit 3, shown as

Exhibit 5 – Projected vs. Actual Cost of Losses.  For purposes of accuracy new trends that developed in the security environment over the period of study should be considered.  If new trends increased the cost of losses, and the effect can be quantified, then the results should be reported accordingly.

Exhibit 5 – Projected vs. Actual Cost of Losses  This exhibit can’t be shown in the blog but you can see it in a whitepaper on the ERE web site www.ere-security.ca

Summary

The task of getting approval for a sufficient budget for IT security, privacy compliance, and IT regulatory compliance is usually frustrating and arduous. The task can be made easier by presenting the IT Security Governance body with simple to understand graphics, rather than with complex business plans.  The graphs should depict the relationship between the cost of risk and the cost of mitigation.  The presentation process should occur both at budget request time to show the intended plan, and after the budget cycle to show the actual results.  Hopefully the results trump the plan.

Sources of Information

(1) ANZ 4360:2004 Risk Management Standard http://www.ncsi.com.au/as4360.html

(2) Calculations of ALE are based upon The Official CISSP CBK, 2009, published by ISC2 www.isc2.org

(3) NIST- 88 series http://csrc.nist.gov/publications/PubsSPs.html

(4) ISACA: CISM Review Manual 2010 www.isaca.org

(5) PCI Security Standards – PCI https://www.pcisecuritystandards.org/index.shtml

(6) NERC – CIP 02 – 09 www.nerc.com

(7) ROSI  Calculating Security Return on Investment, Don O’Neil Software Engineering Institute, 2007, CERT

https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/business/677-BSI.html

(8) Gartner whitepaper:“Incorporating Security into the Enterprise Architecture Process, Jan 2006 www.gartner.com

(9) EISA: http://en.wikipedia.org/wiki/Enterprise_information_security_architecture

(10) The U.S. Department of Defense (DoD) Architecture Framework (DoDAF) http://www.architectureframework.com/dodaf/

(11) Extended Enterprise Architecture Framework (E2AF) from the Institute For Enterprise Architecture Developments. http://www.enterprise-architecture.info/

(12) Federal Enterprise Architecture of the United States Government (FEA) http://www.whitehouse.gov/omb/e-gov/fea/

(13) Capgemini’s Integrated Architecture Framework

http://www.capgemini.com/services-and-solutions/technology/soa/overview/ent_architecture/iaf/

(14) NIH Enterprise Architecture Framework http://enterprisearchitecture.nih.gov/About/Approach/Framework.htm

(15) Open Security Architecture ]http://www.opensecurityarchitecture.org/cms/index.php

(16) The Open Group Architecture Framework (TOGAF) http://www.opengroup.org/architecture/togaf8-doc/arch/

(17) Zachman Framework http://www.zifa.com/

(18) Control points from the COBIT framework.  http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security and Privacy Compliance Auditor

www.ere-security.ca

If you are in security no doubt you have been challenged by management about your security expenditures.  I have often heard executives say that they regret authorizing sufficiently large security budgets because they can’t tell if the expenses were worthwhile.  It’s a good point.  I’ll try to address it in this blog.

Measuring the Effectiveness of Mitigation

It is paramount to close the risk management loop by comparing planned and actual results of mitigation.

Goal is to clearly identify if risk level has changed and what consistent metrics will be used to base a conclusion. Once again, this may be difficult to accomplish directly, but there certainly are metrics for measuring and comparing the results of implementing mitigation. The metrics should always:

1. Produce repeatable, consistent results.
2. Be understandable.
3. Be reasonably simple to use over time.

The following is a good starting list of metrics that can be used for consistently measuring and reporting on risk:

1. Architectures for measuring risk – Enterprise Information Security Architecture (EISA) (8), (9)
   1. a. The U.S. Department of Defense (DoD) Architecture Framework (DoDAF). (10)
   2. Extended Enterprise Architecture Framework (E2AF) from the Institute For Enterprise Architecture Developments. (11)
   3. Federal Enterprise Architecture of the United States Government (FEA).  (12)
   4. Capgemini’s Integrated Architecture Framework. (13)
   5. NIH Enterprise Architecture Framework. (14)
   6. Open Security Architecture. (15)
   7. The Open Group Architecture Framework (TOGAF). (16)
   8. Zachman Framework.  (17)
   9. Control points from the COBIT framework.  (18)
   10. Vulnerability assessments.
   11. Penetration tests.
   12. Time trends in frequency of occurrence and the real costs of security events, privacy violations, and policy compliance violations.
   13. Time trends in cost to recover from events.
   14. Time trends in frequency of policy compliance violations that do not necessarily cause any financial losses, such as identifying Trojans, viruses, rootkits, unauthorized logins, attempted port scans, frequency of dropped packets, frequency of password lifecycle, breaches, and frequency of rescheduled / cancelled IT Security Governance meetings with business managers.

This part of the series may be a little dry.  In fact it is very dry.  But if you ever want to have a process done “by the book” many of my references will come in handy.  If you can take another “dry” blog, the next blog will cover the same subject but from a return on investment perspective.  I hope it will be helpful!

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security and Privacy Compliance Auditor

www.ere-security.ca

I think that too often security people try to “fix” every security problem.  That is not realistic or required.  Many times, it is sufficient to just identify security risks and problems to management and get them to make a decision on how they want to deal with it.

But the operative phrase is “decision on how they want to deal with it.”

Calculating the Cost of Mitigation

Security professionals are well acquainted with determining the costs of mitigation.  Senior executives sometimes think they too are familiar with these costs, based upon ads they read about anti-virus and firewall technology.

The danger here is that it is too easy for all concerned to focus on technology as the primary mitigation for security and compliance.  It is well documented in standards published by industry experts such as NIST- 88 series (3), ISACA CoBIT (4),  PCI Security Standards – PCI (5),  and NERC – CIP 02 – 09 (6).

It is well advised to consider mitigation steps that include:

1. Re-engineering processes, both technological and people processes.

2. Policy – people and technology

3. Technical security.

4. Physical security.

5. People processes.

6. Training and awareness.

7. Third party auditing to verify the effectiveness of all the above.

From an IT Security Governance perspective the optimal cost point for mitigation is where the total costs of risk and mitigation are lowest.  This point can be graphically determined as in Exhibit 3 – Optimal Cost Point for Mitigation.

Exhibit 3 – Optimal Cost Point for Mitigation (3) This exhibit can’t be shown in the blog but you can see it in a whitepaper on the ERE web site www.ere-security.ca

Once mitigation costs are determined, it is important to express to the IT Security Governance committee that mitigation only goes so far, and that some residual risk remains even after spending on mitigation.  The residual risk can be expressed as the cost of risk that remains after mitigation is implemented.  As shown in Exhibit 4 – Mitigation Cost vs. Chance of Event Occurrence, expenditures on mitigation reduce the cost of exposure to risk.

Exhibit 4 – Mitigation Cost vs. % Chance of Event Occurrence This exhibit can’t be shown in the blog but you can see it in a whitepaper on the ERE web site www.ere-security.ca

The IT Security Governance Committee may decide to deal with residual risk by:

1. Accepting the risk.

2. Moving the risk (insurance).

3. Further mitigation.

Calculating Return on Security Investment (ROSI) (7)

Once the total cost of security mitigation is determined by including any costs for managing residual risk, then it is straightforward to calculate the return on security investment, as follows:

ROSI = cost of mitigation  /  cost of risk

When calculating ROSI it is important to allocate mitigation costs on a pro-rated basis across all costs of risk to which they apply.  In this way ROSI can be more accurately calculated and evaluated by each profit and loss manager and associated stakeholder.

The next blog will deal with figuring out if the cost of mitigation were worth it!

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security and Privacy Compliance Auditor

www.ere-security.ca

I know it is time consuming to do the analysis for building a business case.   I’ve seen the frustration on the faces of security types who present business cases for their budget and management gives them a rough time.

Hopefully these articles will be helpful.

The next logical step would be to associate an actual cost to each event. Various methods can be used either separately or together with the implementation of an averaging metric to estimate the cost per occurrence of an event.  These methods may include:

1. Soliciting expert advice from financial management, lawyers, and risk management consultants.

2. Conducting a straw poll of stakeholders, each estimating the downside cost of an event.

3. Participating in a fact gathering survey of similar businesses, each of which provides factual and straw poll estimates of the cost of an event.

4. Purchasing statistical information from industry experts regarding the cost of an event.

5. Obtaining statistical information from industry associations about the cost of an event experienced by their membership.

Using a similar methodology, the next step is to determine the likelihood of an event occurring.  The most useful ways of expressing likelihood is in % chance of an event occurring in any one year.

However, any likelihood estimate should also be adjusted to account for changes in security environment.  There are typically evolving waves of new threats that may affect likelihood of occurrence, such as these previous waves:

1. Viruses

2. Malware of all sorts

3. DDOS

4. Identity Theft

The likelihood estimate can then be used to:

1. Qualitatively express cost vs. likelihood as in Exhibit 1 – Potential Cost vs. % Probability of Occurrence.

2. Calculate the quantitative Annual Loss Expectancy.

Exhibit 1 – Potential Cost vs. Probability of Occurrence (1)

This exhibit can’t be shown in the blog but you can see it in a whitepaper on the ERE web site www.ere-security.ca

Obviously want to prioritize the mitigation steps to dealing with high risk / high cost situations first.

Annual Loss Expectancy (ALE) (2)

The step from qualitative to quantitative risk analysis logically occurs at this point, where the team evaluating risk triages the results of Exhibit 1 in order to decide upon those risks where they intend to focus.

The potential cost of those risks can be determined by calculating their Annual Loss Expectancy.  The annual loss expectancy is the annualized estimated cost for the occurrence of any type of event.  This number is useful for comparison with the annual cost of mitigation.  ALE for an event is calculated by multiplying the previously determined of the cost of the event and the chance of its occurrence.

Annual loss expectancy = cost of event x chance of occurrence

Next week I will discuss the ins and outs of calculating the cost of minimizing risk and how to present this to the executives.

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security and Privacy Compliance Auditor

www.ere-security.ca

Over the years many IT security professionals have told me about their challenges of getting the appropriately sized security budget approved.  In my opinion many senior executives believe that if they have not endured a serious security breach, then there simply are not any security risks.  That is my motivation for writing this series.

Executive Summary

IT security and security compliance are expensive to successfully achieve.  Now pile on privacy compliance and an array of regulatory compliance obligations and the costs skyrocket.

The key to getting the IT Security Governance committee to fund the appropriate compliance budget is to speak their language.

In order to do that, risks need to be expressed in terms of costs for executives.  Specifically costs need to be identified as: Potential cost of losses, mitigation costs, the total costs (potential cost of losses + mitigation costs) and residual costs.

In order to be clear and meaningful for the intended audience, the material should be presented graphically, presenting changes in both cost and risk over time.

This trending analysis is most useful for supporting the ability of the IT Security Governance committee to make well informed decisions on how to most effectively invest in security, thereby deriving optimal payback for stakeholders.

Identifying Risk and its Business Impact

The costs of risk associated with IT security / privacy and non compliance of regulatory / standards and the resulting negative impact on business can be broadly identified as follows:

1. Loss of revenue or production due to unavailability of production resource.

2. Time and effort to recover from a security related loss of production.

3. Legal.

4. Damage to brand.

5. Regulatory compliance violations.

6. Privacy compliance violations.

7. Damage to client and vendor relationships.

8. Loss of intellectual, competitive or proprietary information.

9. Un-captured profits resulting from inability to demonstrate to clients / vendors / partners a strong security process.

The cost of risk is the resulting impact on business that may be incurred should a risk become a reality or an event.  Determining the cost of a potential event is difficult at best.  However, it can be accomplished by employing one or more quantitative and qualitative methods, and should be undertaken by those most qualified to do so.

Those most qualified are unit profit and loss managers, stakeholders, and executives with insight into quantitatively how an event would affect their work domain.

The cost of various types of events can be viewed as categories of low, medium, and high cost.  This qualitative analysis is not useful in itself, but it may assist management on how to prioritize the order in which they will perform a more in depth risk analysis.

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security and Privacy Compliance Auditors

www.ere-security.ca