Quantifying Security
Cybersecurity threats and
risks are notoriously hard to quantify and estimate. Some vulnerabilities, such
as buffer overflows, are well understood, and we can scrutinize our systems to
find and fix them. But other vulnerabilities are less understood or not yet
apparent. For example, how do you predict the likelihood that a hacker will
attack a network, and how do you know the precise value of the assets the
hacker will compromise? Even for events that have happened (such as widespread
virus attacks) estimates of the damage vary widely, so how can we be expected
to estimate the costs of events that have not happened?
Sidebar
9-1: A Business Case for Web Applications Security
Cafésoft [CAF06] presents a
business case for web applications security on its corporate web site. The
business case explains the return on investment for an organization that
secures its web applications. The ROI argument has four thrusts.
Revenue: Increases in revenue can occur because the security increases
trust in the web site or the company.
Costs: The cost argument is broader than simply the installation,
operation, and maintenance of the security application. It includes cost
savings (for example, from fewer security breaches), cost avoidance (for
example, from fewer calls to the help desk), efficiency (for example, from the
ability to handle more customer requests), and effectiveness (for example, from
the ability to provide more services).
Compliance: Security practices can derive from the organization, a
standards body, a regulatory body, best practice, or simply agreement with
other organizations. Failure to implement regulatory security practices can
lead to fines, imprisonment, or bad publicity that can affect current and
future revenues. Failure to comply with agreed-upon standards with other
organizations or with customers can lead to lost business or lost competitive
advantage.
Risk: There are consequences to not implementing the proposed security
measures. They can involve loss of market share or productivity, legal
exposure, or loss of productivity.
To build the argument, Cafésoft
recommends establishing a baseline set of costs for current operations of a web
application and then using a set of measurements to determine how security
might change the baseline. For example, the number of help-desk requests could
be measured currently. Then, the proposer could estimate the reduction in help-desk
requests as a result of eliminating user self-registration and password
management. These guidelines can act as a more general framework for
calculating return on investment for any security technology. Revenue, cost,
compliance, and risk are the four elements that characterize the costs and
benefits to any organization.
Unfortunately, quantification
and estimation are exactly what security officers must do to justify spending
on security. Every security officer can describe a worst-case scenario under
which losses are horrific. But such arguments tend to have a diminishing
impact: After management has spent money to counter one possible serious threat
that did not occur, it is reluctant to spend again to cover another possible serious
threat.
Gordon and Loeb [GOR02a] argue that for a given potential loss, a
firm should not necessarily match its amount of investment to the potential
impact on any resource. Because extremely vulnerable information may also be
extremely costly to protect, a firm may be better off concentrating its
protection resources on information with lower vulnerabilities.
The model that Gordon and
Loeb present suggests that to maximize the expected benefit from investment to
protect information, a firm should spend only a small fraction of the expected
loss due to a security breach. Spending $1 million to protect against a loss of
$1 million but with a low expected likelihood is less appropriate than spending
$10,000 to protect against a highly likely $100,000 breach.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.