According to a recent vendor report, businesses risk losing billions of dollars to malware that steals sensitive...
data. Are there any metrics I can use to quantify my company's level of risk exposure to our executives, i.e. how many employees we've laid off recently or locations where our data is stored?
I tend to be pretty suspicious of vendor surveys as they are inherently biased. But regardless of the numbers in the survey, the vendor has a point, which is that companies are increasingly at risk of losing their data, whether from malicious insiders, random theft of equipment (as in stealing laptops from cars), lost USB drives or targeted and untargeted malware.
The initial metrics you propose are a great start. Also, compare your company's rate of laptop loss to that of the general public to see if it's something to be concerned about. For reference sake, a recent article in Fast Company revealed that approximately one laptop gets stolen every minute, and more then 12,000 go missing each year in airports alone. It's important to not only look at the raw numbers, but also at who in your organization has laptops and what sort of data they carry on those machines.
In the end, this isn't really a metrics problem per se, but rather a risk assessment/risk management problem; though the metrics will help inform your decision. That is to say, metrics tell you where the company is today and can potentially predict where it is heading, but without context, these metrics don't actually tell you if you are in bad shape. Risk assessments give that context by taking those metrics and explaining how relevant they are. For example, one metric may show that laptop thefts are up 400% this year compared to last year. That sounds really bad, but if it means that in 2008 you lost five laptops instead of 1 and the company owns 20,000, then reducing the laptop theft rate may not need to be your highest priority -- unless all five laptops belong to the CEO or other senior executives.
Similarly, just because the number of security incidents has gone down in an organization doesn't mean that it's better off, if the incidents that did occur were much worse. By implementing proper risk management guidelines, you can effectively evaluate these metrics and appropriately prioritize your resources accordingly.
There are a lot of good risk assessment/risk management frameworks out there. My personal favorite is FAIR, but others include OCTAVE, SOMAP and even an emerging ISO standard.
FAIR is my favorite, largely because it provides a simple, easy-to-use mechanism for communicating the inherent probabilistic nature of risk. However, any of the above frameworks will get you where you need to be.
Regardless of which framework you choose, you need to know where your data is and where it's going. Once you understand how the data is moving, the rest of the analysis isn't too bad.
Learn more about the role information security plays in fraud prevention
Dig Deeper on Enterprise Risk Management: Metrics and Assessments
Related Q&A from David Mortman
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ...continue reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security...continue reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.