What’s In Your Wallet?

December 28, 2009

A few weeks back I jumped feet first into a blog post at Securosis by David Mortman titled “Changing The Game”. There are a lot of comments but one comment in particular by Rich Mogull has resulted in me doing some soul searching, adding a new question to my bank of interview questions, and forcing me to write a blog post (while on Christmas / New Year’s vacation).

Below is the majority of the comment that Rich made:

“The problem I think we have in infosec is that the economics are skewed to distort risk analysis (see my post on the anonymization of losses), and we fundamentally lack the proper data to make truly informed risk decisions.

I do think we are creeping slowly in the right direction- the Verizon report is one example on the data front, and it’s the main reason we are focusing so much on metrics models.

One area where I do think we need to be cautious is the need in many financial and insurance models to tie everything to monetary value. Since “loss” has a different meaning in the digital world due to us usually not losing access to the asset as with physical loss, the models don’t fully translate.”

So here is my question to you as a reader: What Is Your Information Risk Management Philosophy in regards to risk quantification? Do you even have one?

There is a lot of skepticism in our industry – sometimes packaged as healthy scrutiny – when it comes to the topic of risk quantification and tying loss forms to monetary values. Below are some of my “philosophical” thoughts about Information Risk Management specifically as it pertains to risk quantification.

1.    Security Events / Incidents Have An Opportunity Cost. When something “bad” occurs – it costs the company money to respond. Whether it is “green dollars” going out the door or soft dollars associated with the hourly cost of full time employees responding to the event, the reality is that the company will deal with the incident and that response effort usually takes away from other responsibilities or objectives. We can count green dollars, but counting the internal costs can be more challenging; the size and maturity of the HR/IT organization will factor into the ease of doing this. Bottom line: It costs money.

2.    It Costs Money to Maintain a Security Posture. One of the executives at my company referred to this concept as “anchoring costs”. A perfect example of this is malware protection. A company may spend $125,000 dollars a year in malware maintenance / support fees; a solution that is considered to be 96% effective against malware in the wild with advanced detection / heuristic capabilities.  For simple illustration purposes, let’s state that there are two full-time employees on the malware team ($50K each) – that’s an additional (minimum, excluding benefits, etc..) $100K on top of the $125K to manage, maintain, and support a malware protection capability; a grand total of $225K per year. This is an example of an anchoring cost: the company is spending $225K a year to protect against a malware outbreak or event that could result in loss of productivity – i.e. deliver its value proposition – or prevent data theft / compromise. We could probably spend a few days debating if this particular anchoring cost accounts for the expected amount we would lose in a given year without malware protection or if this annual anchoring cost is to address a risk value further out in a loss distribution (1-in20; 80th percentile, 1-in-100; 99th percentile). Bottom line: It costs money to maintain a security posture.

3.    Overcapitalization. Now we are moving into the ERM space – and this concept may be limited in scope from an industry perspective – but it is evolving and can facilitate decision making in some organizations. Economic capital models account for various types of risk. One of those risk types is operational risk – of which information security and continuity management risks fall under. Below is a broad definition of economic capital (Wikipedia):

“Economic capital is the amount of risk capital, assessed on a realistic basis, which a firm requires to cover the risks that it is running or collecting as a going concern, such as market risk, credit risk, and operational risk.” (BTW, I really like the phrase “assessed on a realistic basis”)

One analogy I read on overcapitalization in the last few days was comparing overcapitalization to an overweight person. Too much weight can lead to health problems and other challenges. In addition, the extra weight inhibits our flexibility and speed.

Assuming that you are quantifying risk issues, and assuming that these data points can be rolled up into an economic capital model – it is clear that risk quantification for the information security / continuity management issues we manage- can contribute to enterprise risk management. I think an argument can be made – especially in the insurance industry – that company leadership has much more opportunity and influence to manage (reduce) operational risk – then other risk types, for example weather / catastrophe risk. Yes, operational risk is probably a very small percentage of economic capital. However, the higher the economic capital amount – the higher cost to the company to maintain that amount and it could reduce their ability to use some of that money for other purposes. In addition, regardless if operational risk is only a tiny percentage of economic capital models – the margin of difference between competing products and competitors in the market place is sometimes so small that reducing just a small percentage of expenses or operational risk – could result in some form of competitive advantage (product pricing, investments, expansion, etc..).

Bottom line: I would rather be contributing to our business in a strategic manner using words, concepts and measurement methods  they are familiar with, versus some qualitative approach that does not lend itself to effective decision making.

4.    Motives. Given the current economic climate, a lot of people (infosec professionals, infosec executives, friends, relatives, etc..) are skeptical of risk models. I understand why. Here is how I professionally reconcile such concerns / skepticisms.

a.    Apples and Oranges. Economic capital models ( and at a smaller level – risk issue quantification) and investment models have different purposes. The former is about ensuring a company can covers its liabilities. The latter – in most cases – is about opportunity – profit.

b.    Motives. I think you have to look at the motives of companies or individuals that are attempting to quantify information security / continuity management risk. What they are trying to do is ensure that their company understands their exposure in the information risk management space. This is where the phrase “assessed on a realistic basis” comes back to mind. Is a sound and repeatable risk assessment methodology being used consistently to assess risks? Are loss forms that are being estimated best case, most likely loss, worse case loss or a combination (distribution) of the three? Are we packaging information that allows effective decision making, or are we “crying wolf” and packaging scare tactics? In most cases, information risk management groups are just trying to give the best information. Yes, there will be misses in either frequency of loss or magnitude of loss – but that is the nature of risk.

So there you have it, some of my thoughts on risk quantification and why I support it passionately. Ask yourself, “Can I defend why I am passionate about my favorite aspect of information risk management?” If not, I challenge you to go through the thought exercises.  I welcome your feedback.

Happy Holidays!


Verizon – 2009 Data Breach Investigations Supplemental Report

December 9, 2009

This is no doubt one of many blog posts regarding the Verizon Business RISK Team “2009 Data Breach Investigations Supplemental Report” (DBISR). Below are a few of my thoughts.

1.    Quality of the Data. While it is neither the intent or spirit of the report to compare the usefulness of the information or the quality of the data to public data sources, I think it is important to recognize that the facts being collected by the Verizon team are generally more credible then the third-party sources that other public sources rely upon. In scenarios where I am trying to gather information about a breach or compiling a dataset for analysis – I am going to have a higher level of confidence in data / information from sources closer to the incident – then third parties just reporting on it. This does not mean that 3rd-party data is not legit – I am just suggesting the quality – from an accuracy and reliability perspective – is different and should be recognized.

2.    Data Overlap. On page 23 – is a table comparing the Verizon IR breaches and records lost to the equivalent DataLossDB values (keep in mind these are point in time values). The question I have is, how many of the 592 breaches in Verizon’s dataset are accounted for in the DataLossDB dataset? The reality is that in some US states (assuming all the breaches were in the US), data breach notification is not required, so an event can occur that does not result in breach notification to the consumer or the applicable State Attorneys General. If there were a difference between Verizon and DataLossDB – it only strengthens my confidence in their data because it contains credible data points not represented elsewhere (private consortium data aside).

3.    Threat Action “Profiles”. If you have not printed pages 5-21 and posted them on your cubicle / office wall – or recommended to your peers or other information security professionals – why not? Seriously. Threat actor / threat community profiles are such a valuable resource for security / risk practitioners to quickly reference, especially when we are dealing with dozens of threats and hundreds of controls. I can assure you that I will probably incorporate some of the DBSIR “threat action” profiles for some work I am doing in this same space with my employer – good job Verizon!

4.    Industry. My final observation is related to the industry and size of companies where breaches have occurred. I have blogged about this recently and I only mention this to remind folks that not every data point whether it is from Verizon, DataLossDB, PrivacyRights.Org, or other public / private data sources may be relevant to your industry or your company. The reality is that there are different expectations and regulatory requirements between industries and you have to keep that in mind while in the process of drawing conclusions from these types of reports.

Overall, two thumbs up to the Verizon Business RISK team. I commend them on their willingness to share this information and their desire to influence our industry as a whole.