Security threat assessment is a subset, albeit a major subset, of risk management; and the same principles apply. Risks, or threats, can be accepted (don’t do anything), avoided (do something different), transferred (insurance) or mitigated (which involves the whole gamut of the infosecurity industry).But one big difference between corporate physical risk such as fire, flood or earthquake and data security threats is that it is difficult to quantify either the likelihood of loss, or the actual cost of any loss of data. Since insurance is largely based on likelihood and cost, the transfer of risk is not a major option in the management of security threats.
Acceptance and avoidance are also difficult. Acceptance is dangerous. “It’s a bit like speeding,” suggests Ed Macnair of Overtis. “We all do it and just hope we’ll get away with it.” That’s fine until we don’t get away with it.
And avoidance is frequently impractical. Can we avoid using the internet because the internet is a dangerous place? Probably not.
Which just leaves mitigation – the purchase of products and application of policies designed to prevent or alleviate the effects of threats to our information. But as we have already noted: it is difficult to assess either the likelihood or cost of security events, which places the burden of threat assessment on a qualitative rather than quantitative footing. Put simply, information security threat assessment is based on the subjective knowledge and experience of the assessors rather than the objective application of mathematical formulae. It is a black art best performed by practitioners totally immersed in their craft.
In theory, you could always employ external experts to assess your security risk and implement adequate mitigation. In reality, this would be the wrong approach. The threat is constant and continuously evolving, so you need continuous assessment. Qualitative infosecurity threat assessment is best done in-house on a continuous basis with occasional reinforcement from external specialists. You need to understand the threats, be aware of the available defences, and be able to make a value judgement on how best to use your available budget to protect your data.
First you must understand the threats. They are twofold: malicious software and/or people. There are two targets: to steal your data or damage your business. Malicious software will seek to infiltrate your systems and exfiltrate your data (either personal data for identity theft, bank fraud, blackmail etc), or intellectual property (as in industrial espionage); or it will seek to damage your business (as in the elimination of competition or cyberwarfare or revenge).
The most common threat is malware installed on your system; and the most common defence is a perimeter barrier such as a firewall or unified threat management system. Malware is delivered by any method the attacker thinks might work, such as an infected email attachment or a trojan hidden inside an apparently useful application. These days a common method is to infect a popular web page so that merely visiting that page will allow a larger piece of malware to be surreptitiously downloaded from a more dangerous website. The problem with barrier defences is that if the barrier is breached and the malware is on the inside, you might never know about it.
So do you consider further internal defences to patrol your network looking for anomalous behaviour? This is where your qualitative assessment comes in. You need to consider the value that is at risk and the cost of defending that value. How much security is it worth buying to safeguard that value?
But there are two further considerations you need to bear in mind. Firstly, as Ed Macnair comments: “Banks don’t rob themselves – people do that.” And ultimately it is people who steal data. It could be cybercriminals outside of your network, or malcontent staff inside your network. So the value and cost of keeping bad people off your network should also be assessed.
And finally, in many cases you have no legal option but to install a degree of security. This is called ‘compliance’, complying with, for example, data protection or financial regulations. One problem here is that regulations often state what must be achieved, but not how to achieve it. “I was talking to a very large investment bank, one of the world’s largest,” explained Macnair. “Over the last couple of years they have spent $20million on a variety of tools from a leading security company. I asked them how much of this technology they had actually deployed, and the answer was ‘hardly any’. The very fact that they had bought the tools would keep the regulators off their back.” One has to hope that this is a conscious decision based on a thorough assessment of the threat from both cybercriminals and financial regulators.
The problem with quantitative security threat assessment
One of the biggest problems in information security is the ‘zero-day vulnerability’. By definition it is previously unknown and therefore has no immediate remediation.
One of the worst effects of a security attack is the complete loss of access to your data. Studies have shown that such a loss, for even just a few days, can prove fatal to the business.
This means, quantitatively, you need to plan for something you cannot predict that might be equal to anything from nothing to the total value of your company.