Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/6/2013
08:06 AM
Pete Lindstrom
Pete Lindstrom
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

IT Security Risk Management: Is It Worth The Cost?

The attitude that IT security risk shouldn't be governed by traditional measures of cost and benefit is ludicrous.

At RSA a few years back, I was in a presentation by a CISO of a major company who asserted that he would spend "whatever it takes" to secure his company. This kind of rhetoric isn't uncommon, especially with those organizations that don't have any budget. What really surprised me though was that a senior IT security risk management professional of a large company would say such a thing.

I am pretty sure he didn't actually mean he would spend, say, $10 billion on security. But the attitude that tech risk management shouldn't be governed by traditional measures of cost and benefit is ludicrous, despite the fact that the "whatever it takes" approach plays well to security professionals. After all, we have dedicated our careers to protecting information and computer assets, and we see the potential for damaging people's lives when personal information gets leaked.

The problem is that in order for us to be taken seriously within our organizations, we need to eliminate the emotional element from our pronouncements and policies.  Instead, we should focus on providing appropriate security in appropriate places. (Even writing this makes me feel callous and cold, but that is the economic reality of business.)

Does that mean we should simply advocate for "appropriate" security measures and leave it at that? Hardly.  It's way too common for individuals to have varying opinions about what appropriate actually means. A better approach is to look to history and the laws that have set precedents for determining when organizations are "negligent."

For example, back in 1932 Judge Learned Hand decided in US v TJ Hooper that "...a whole calling may have unduly lagged in the adoption of new and available devices." He went on to say that "...there are precautions so imperative that even their universal disregard will not excuse their omission." This opinion may have opened up the floodgates on negligence because it implies an unattainable level of foresight with damages determined in hindsight.

Luckily, Judge Hand realized this weakness (albeit 15 years later) and followed up with a more realistic formula for determining negligence: "...if the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B less than PL." (US v. Carroll Towing, 1947). If that formula for negligence looks familiar, it should -- it is a manifestation of the formula we use to measure risk.

In short, Judge Hand ascribes a cost-benefit equation to determining negligence, effectively asserting that we should spend only as much as the consequences might cost, discounted by the likelihood of a negative event within the scope of circumstances.

So, instead of "whatever it takes," IT security risk management professionals should be spending "as much as necessary, not to exceed the value of the potential losses." Many tech risk pros intuitively understand this. But others are so caught up in the operational reality of putting out daily fires that they don't get the opportunity to put it into practice.

That’s a crucial mistake if you want to be taken seriously internally when it comes to managing IT security.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Gary Scott
100%
0%
Gary Scott,
User Rank: Strategist
12/27/2013 | 2:45:02 PM
"Whatever it takes" is less than $5.00
I've seen companies with the "whatever it takes" mentality change their stance when it comes to data destruction.  We are a NAID certified company providing onsite hard drive destruction - we also carry professional liability insurance with breach notification coverage.    

We've seen some of these companies claiming "whatever it takes" balk at our $5.00 per hard drive destruction fee.  Instead of secure destruction, they risk losing confidential information by allowing an electronic recycler remove drives from their custody with the "promise" of complete erasure.    
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/9/2013 | 11:42:09 AM
Re: Negligence, not risk a better metric for IT security
I'd say bankruptcy following a hack is a pretty accurate way to quantify "L" and the DigiNotar incident in which the Dutch certificate authority (DigiNotar of Holland) was compromised and manipulated into issuing fraudulent certificates for Google and other large sites is a pretty stunning examploe of how to determine what an "appropriate"  IT security risk management should look like.
plindstrom193
50%
50%
plindstrom193,
User Rank: Apprentice
12/7/2013 | 9:33:48 PM
Re: Negligence, not risk a better metric for IT security
I'm not sure why you think Diginotar's situation is inconsistent with my comments. They are the perfect example of how 'reputation problems' can easily be shown to have economic losses.
dak3
50%
50%
dak3,
User Rank: Moderator
12/7/2013 | 1:09:15 PM
Re: Negligence, not risk a better metric for IT security
You might want to ask the folks at DigiNotar about that

 

:)

 
plindstrom193
50%
50%
plindstrom193,
User Rank: Apprentice
12/7/2013 | 11:46:56 AM
Re: Negligence, not risk a better metric for IT security
Hi, Dak3 -

That is a common lament. I suggest we keep in mind that these are economic entities we're talking about, not people. So any "reputational damage" *must* reflect in higher costs or lower revenue. While that is certainly possible, attempts by economists to glean economic damage have all fallen flat in the past.

The notion of being "beyond counting" is typically a reflection of disagreement in the "market" - you and I may not pay the same amount for, say, a signed baseball from World Series Champions Boston Red Sox, but it can be valued nevertheless. Same goes with companies buying companies or even more obvious intangibles.

Btw, we don't really need some absolute value of 'L' - all we need to know is how much has been spent (the 'B') so that we can make the higher or lower comparison to 'P * L.' 

Thanks for the comment,

Pete
dak3
50%
50%
dak3,
User Rank: Moderator
12/6/2013 | 5:38:48 PM
Re: Negligence, not risk a better metric for IT security
The problem, though, is figuring out the "L". Loss is both monetary and reputaional and the "cost" of making the organization whole may be neyond counting...
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/6/2013 | 2:27:21 PM
Negligence, not risk a better metric for IT security
Thank you Pete Lindstrom and Judge Learned Hand for that common sense measure & definition of IT security risk management. The history lesson was also very interesting.

 

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15037
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Reports-Devices.php page st[] parameter.
CVE-2019-4323
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise advisory API documentation is susceptible to clickjacking, which could allow an attacker to embed the contents of untrusted web pages in a frame."
CVE-2019-4324
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise is susceptible to Cross-Site Scripting while importing a specially crafted test policy."
CVE-2020-15036
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Linked.php dv parameter.
CVE-2020-15577
PUBLISHED: 2020-07-07
An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. Cameralyzer allows attackers to write files to the SD card. The Samsung ID is SVE-2020-16830 (July 2020).