Organizations are continually trying to find ways to justify the need for their security programs. This has always been a challenging task for security departments since budget decision makers want to know the justification and/or the return-on-investment (ROI).  It becomes an even more difficult issue if nothing bad happens.  In this situation, executives don’t have an actual example of what threats exist and how they directly impact their organization.  Unfortunately, this leads most organizations to still perceive security as an expense, not as a strategic investment. 

It is usually a difficult issue for a security director to prove a direct or rapid ROI for security projects.  However, by using a basic formula for revenue per hour and employee labor cost per hour, a security department can point to several high-level measurements of potential cost savings or loss avoidance.  These costs can be associated with a number of different loss events.  

For example, a company with $100 million revenue and 1000 employees may experience losses anywhere from $234,000 to $938,000, depending on how long security incident impacts business operations.

Potential Loss Estimate Table 

Motivating Factors

There are a number of factors to consider in addition to lost revenue and lost productivity.  These are damaged business reputation and theft of intellectual property.  Data recovery and security countermeasures implementation costs also need to be factored in as well.  As with any solution, the total cost of ownership should include installation, configuration, and monitoring. 

Most organizations are targeting their security programs to mitigate risk and reduce liability.  Some other motivating factors are being driven by government legislation such as HIPPA, and the Graham, Leach, Bliley Act (GLBA).  Additionally, business partners and customers may require a certain level security in order to be able to connect to their networks.  Previous security incidents may also be a motivation to have a proactive security effort since it is usually more cost effective to try to prevent an incident than recover afterward. 

The most probable course of action is to concentrate on risk mitigation and liability reduction.  This is where most of the current focus is with the use of security software and services.  Firewalls, IDS, anti-virus, VPN, and authentication form the foundation of a network security effort.  Their effectiveness depends on their points of deployment, configuration, and monitoring.  Part of the deployment and configuration should take into consideration the assets they are trying to protect.

The Three Primary Areas Approach

Part of risk mitigation and liability reduction lies beyond just finding vulnerabilities on the network.  Policies and procedures, security awareness training, and physical security are equally as important.  The network doesn’t only exist in cyberspace, but is more of a living and breathing organism.  This is because the network resides in a physical environment and interacts with people.  By only looking at network vulnerabilities, other significant areas of security vulnerabilities could be missed.  An organization can have the best network security, but it doesn’t stop someone from easily gaining physical access to the network and compromising a host on the network.  Physical security should make it difficult for anyone but authorized personnel to physically access any network host.  This requires secured buildings and areas within those buildings.  This involves lighting, fences, access controlled entrances and interior areas, burglar alarms, CCTV, and security officers.  But even addressing both network and physical security still doesn’t complete the security effort, operational security concerns need to be examined as well.

Operational security focuses on security organization structure, policies and procedures, assessments and audits, information classification, and security awareness programs.  These are the primary areas where people and the network interface with each other.  Many control procedures and processes that provide overall protection of the organization’s business are defined under operational security.  Policies and procedures are the foundation and blueprint for the organization’s entire security program.  Without this foundation and direction established in policies and procedures, the security program may lack a cohesive structure to function effectively and efficiently. 

Assessments and audits are crucial to identifying security risk and the effectiveness of current safeguards and control procedures.  Information classification addresses the appropriate sensitivity levels for organizational information.  Based on a classification rating, specific labeling and handling procedures for information should be required.  This is an area that many organizations fail to address.  Finally, security awareness should be comprehensive and on-going.  One of the easiest ways to build a security awareness program for employees is to base it on the organization’s policies and procedures. 

This will reinforce employees’ exposure to, and understanding of, the policies and procedures, which reduces legal liability. 

It is this overall approach of analyzing all three areas (network, operational, and physical) of an organization’s security that provides comprehensive overview.  This is not a process that can be accomplished by only using automated scanning software.  It relies more on direct human observation and knowledge about the various aspects of the organization and its business operations.  This process provides a more accurate assessment of the organization’s true security posture and how it impacts business operations. 

The identification and measurement of vulnerabilities is important, but these need to be tied to business assets, which are then tied to a line of business.  This is how security vulnerabilities are linked to business impact.  By identifying the most critical business assets and their related vulnerabilities, it helps an organization prioritize the safeguards that should be implemented first to reduce the most risk.  The process aligns security expenditures justification with the organization’s lines of business.  This brings together both security and business operations and establishes a clear relationship between the two.  Executives can now understand the impact of security vulnerabilities in terms of business impact, which makes it easier to understand the need for security expenditures.  On the other side, the organization’s security professionals can now use the relationship to business assets to help justify and prioritize the needed security solutions. 

Traditional Risk Analysis Methodology 

Traditional risk analysis has typically involved determining Annualized Loss Expectancy (ALE), Annualized Rate of Occurrence (ARO), Exposure Factor (EF), and Single Loss Expectancy (SLE).  Most of these factors require a fair amount of statistical information, which is not easily available.  While there are several reports such as the annual CSI/FBI Computer Crime and Security Survey, it may be difficult and time consuming to specifically derive the aforementioned factors for an individual organization.  Unfortunately, most organizations don’t have the resources to strictly follow the traditional risk analysis methodology, even using some of the current risk assessment software.

Another area that makes the traditional risk analysis methodology complex is trying to characterize threats.  Almost all of threats related to security, other than natural and man-made disasters, are human.  Threats can be described at a high level as internal or external, structured or non-structured, hostile or non-hostile, or be any combination thereof.  This means that threats can range from a burglar to a disgruntled employee or all the way to professional hacker working for a primary competitor. 

Certain threats are more likely to exploit certain vulnerabilities.  An internal disgruntled employee could easily deploy a password sniffing program to identify network administrators’ user IDs and passwords to give them privileged access to most of the organization’s enterprise.  Another example could be an employee of a primary competitor getting a job with the targeted organization to gain access to insider information.  While it useful to understand what kind of threats are out there, it may take too many resources to try to specifically match vulnerabilities and threats together.  

Traditional risk analysis is valuable and provides a solid structure for determining what organization’s assets are at risk.  However, this traditional approach can be too time and resource intensive for most private or public organizations.  While still following the basic risk analysis structure, a higher level analysis can yield very valid results using a reasonable amount of resources in terms of labor hours and expertise. 

Risk Management Overview

The objective is to determine security risk and recommend solutions to reduce impact to business operations.  Higher risk levels can lead to greater losses and hinder profitable lines of business.  Before risk can be managed, it must be measured. For effective risk management, it is important to identify and rate system vulnerabilities, business assets, and make a determination of the threats than can create losses to business operations.  This process begins by taking the results of the interviews, questions, and network scanning, and putting them into a risk model for analysis. 

The formula used for this Assets x Vulnerabilities x Threats  = Risk.  Assets, vulnerabilities, and threats must always be present in order for there to be risk.  Risk is defined as a threat exploiting a vulnerability, which may cause harm to an asset.  With this formula (assets * vulnerabilities * threats = risk) completed, it can be determined how known vulnerabilities could affect business operations.  

Assets, Vulnerabilities, and Threats

Assets must be identified and measured to determine the value they provide to the business operations and revenues.  An asset can be informational, a process, or physical with most supporting a source of revenue or income.  Without the ability to measure an asset’s value, it is difficult to determine which assets are the most critical.  Vulnerabilities are security weaknesses of system components or an area that can be exploited by a threat.  These weaknesses or exposures can result in impact, losses or damages to assets.  A threat is usually a person that exploits an asset’s vulnerabilities.  However, natural and man-made disasters are also classified as threats, but not within the scope of this discussion.  A human threat could be a curious outsider, disgruntled employee, competitor, criminal hacker, or terrorist.  A disgruntled employee might try to exploit vulnerabilities since they already have access to the company’s network.  An employee usually has an additional advantage since he or she probably knows the system they are attacking.  For instance, a disgruntled employee would exploit the password vulnerability by using a brute-force password-guessing program.  

Reducing Risk

Safeguards are defined as the technical or procedural steps taken to reduce risk.  Software patches and upgrades can be effective methods against known system technical security weaknesses.  Safeguards can also be in the form of a product specifically designed to reduce a security weakness.  Firewalls or intrusion detection systems are good examples of this since these devices are intended to prevent unauthorized use of network resources. Safeguard effectiveness is measured by how they help counter the impact to an asset by a threat exploiting vulnerability.