Risk management is much more complicated, and valuable, than merely making seemingly random tweaks. First, you must analyze your tolerance to risk. How risk averse are you and/or the organization you are securing? Everyone has an inherent propensity for risk, but it is moderated by circumstances. Next you must have an understanding of what you have to lose. What is the value at stake? Those are both easy-or at least, easier. Microsoft, Symantec, and Ziff-Davis produced a free assessment tool to help you understand those issues. The tool is available at https://www.securityguidance.com/.
The much harder item is to determine how likely you are to be attacked, and by which methods. The likelihood is typically related to how valuable you are to someone else. Put yourself in the attacker's mind for a minute. What would they do with your data? With your computer? With your network capacity? If you were out of business? How much are your assets worth to someone else?
Enterprise Risk Management
For large enterprises, the scenario is much richer, as is the potential payoff. The volume of information that can be had is much greater. Consequently, the risk is typically higher. Unfortunately, many organizations tend to follow one of two approaches: ignore the vast majority of the problem, or come down so hard on it that the only way employees can be productive is by circumventing the policies in some way. Sometimes we even see a hybrid, where many significant problems are ignored, and the rest are dealt with in such a heavy-handed manner that the cure is worse than the disease.
One reason for this is an inadequate accounting for risk. The wisdom in infosec has for many years been that the risk equation is structured like Equation 15-1. The value P in Equation 15-1 is the probability of an event.
ALE stands for "annualized loss expectancy" and is the estimated value of the loss in a given year. This equation has been used to quantify risk for many years. There is one problem with it, however. It fails to account for the impact of the proposed mitigation. The assumption is that the user is interested in discovering how much she should be willing to spend on mitigations. A mitigation that costs more to implement than the risk is worth is not worthwhile. That, however, fails to take into account the fact that it is not just the mitigation itself that has a cost. The mitigation often comes with side-effects, and those have a cost associated with them as well. A more complete risk equation is shown in Equation 15-2.
Equation 15-2 modifies the ALE to take into account the changed probability and cost of loss after a mitigation, and the cost of the mitigation. The cost of the mitigation consists of the cost of the mitigation itself, and any expected cost of side-effects of the mitigation. By using an equation that takes into account the expected cost of mitigations we have a much more complete picture of the impact of our decisions. Equation 15-2 has the potential to more accurately account for the value of the risk. It reflects the fact that the mitigations and side-effects of mitigations are potentially costly. For instance, let us consider the case of wireless networking. Wireless networking has a risk of loss associated with it, as an attacker can potentially use it to break into the organization. Just to make numbers up, we will assume the probability of that event is 0.01 percent per year. The value of the loss that would occur in that case is harder to quantify, but let us say we are protecting personal data for 10,000 customers. The average cost of loss of such a record is $182 (according to the Ponemon Institute in 2007). In other words, the total possible loss is $1,820,000. That is how much we should be willing to spend, according to the conventional risk equation. According to the modified one, our willingness to spend would be offset by the impact of the mitigation.
One possible mitigation would be to put a virtual private network (VPN) device between the wireless network and the wired network. However, host-to-site VPN connections typically drop when there is an interruption in the underlying network. This can happen for a number of reasons, but a very common interruption in wireless networking is that users move from one access point to another as they move through the building. In fact, they could move from one access point to another without even moving the computer. This causes a disruption as the user needs to (a) recognize that a disconnection has occurred, (b) interrupt what she is doing to launch a VPN client to reconnect, and (c) re-establish the context for the task that was interrupted. This process can easily take five minutes each time, and it can happen several times a day.
For the sake of argument, let us say the disconnection event happens on average three times per day per user, including the initial setup. That is 15 minutes of lost productivity per user. There could also be data loss associated with this connectivity drop, but we will ignore that for now. There are approximately 200 workdays in a year, so each year every user loses 3,000 minutes, or 50 hours of work due to network connectivity issues. If you have 1,000 users, it means that every year you lose 50,000 hours of work. To estimate total cost, you would need to count how much each user costs per hour. A figure of $75–100 per hour is typical, after accounting for salary, benefits, and ancillary costs. Using the lower of those numbers, the potential cost of side-effects from our mitigation, a VPN device between our wireless and wired network, is $3,750,000. We do not have complete confidence in these figures, but we could say that it is about a 50/50 chance that things will play out this way. That means our estimated cost of the side-effects of the mitigation is $1,875,000. In other words, the cost of side effects from our mitigation is estimated at $55,000 per year more than the risk itself is worth! We do not even need to include the cost of actually building the mitigation. This mitigation option should be eliminated from consideration.
These are just made up figures, obviously, but the concept is critical. Much of what we today think of as the basic tenets of information security came from a military environment, where the cost of a breach could mean massive casualties. This led, naturally, to an extremely conservative approach. In a commercial or non-military public sector environment, and even in a military one, these models need to be reviewed and reconsidered based on a more risk-tolerant approach. Unfortunately, far too often, the security department views its job as removing all risk, and hence all work. They become the work stoppage department, and quickly become irrelevant and left out of all important decisions.
Taking this approach to security leads to a loss of benefits from security as the sensible consideration of risks, which the security department ostensibly is better at than anyone else, is removed from the decision making process. Security becomes irrelevant. Only by taking into account business needs, user desires, and what pain will be caused by our mitigations, can we become relevant again. In essence, the field of information security needs to question our world view. In short, we need to think differently about security and managing risk. We need to partner with the rest of the business and leverage others to improve our overall risk posture. The rest of this chapter looks at a number of areas of information security, and how Windows Vista can be leveraged to do just that.
