Balancing the cost and benefits of countermeasures

The task of balancing the cost and benefits of countermeasures is essentially an exercise in risk analysis. The purpose of a risk analysis is to identify assets, threats to those assets, the potential loss to an organization due to threats, and finally, how to respond to that potential loss. The risk analysis process consists of five steps.

First, the organization must assign values to information assets. The value can be based on the replacement cost, if the asset is hardware, or the cost to recreate or recover, if it is a software asset or data. Also consider differences in how assets are used. For example, two laptops might both cost $1000, but one stores only the email of a sales representative, which is less valuable data than the other, which belongs to the CFO and contains undisclosed financial data. Organizations should also take into account the effect of a security breach on customer goodwill and brand value. These, of course, are more difficult to measure, but some consideration should be given to all costs, not just those that are easily quantifiable.

The second step is to estimate the potential loss per risk. This could include:

• The cost to recover from a malware attack, including lost productivity and IT staff time.

• The cost to recover from a DoS attack, including the cost of modifications to firewalls, IPSs, and other network assets to prevent future successful attacks.

• The cost of fines and penalties for violating confidentiality and privacy agreements by allowing the disclosure of sensitive information during a security breach.

• Lost revenues due to unavailable systems that were compromised by an attack

With this information, you can calculate the single loss expectancy, or the cost of recovering from a single incident.

The next step requires an estimate of the likelihood of each type of risk. For example, based on past experience, an organization may estimate that a significant malware attack will occur once per year and information loss due to a security breach will occur twice per year. The cost per year (known as the annual loss expectancy—ALE) of a malware attack is the cost of recovering from one malware incident; the cost per year of information losses is two times the single incident cost.

These costs should provide an upper bound on the amount spent on countermeasures to prevent these threats from materializing. Countermeasures that cost less than the ALE should be deployed to mitigate the risk in cases in which the organization wants to reduce risks. There might be situations in which organizations are willing to accept the risk, either because the likelihood is so low or the cost of mitigating the risk so high. Alternatively, an organization could shift the risk by purchasing insurance.

So much depends on accurate valuations of assets and intangibles—such as customer goodwill, that it is essential to have accurate estimates or you risk skewing security resources to the wrong assets. Assessing threats and appropriate countermeasures is a key component of the asset protection life cycle. By understanding the risks associated with each asset, the value of each asset, and the cost of protecting the asset, organizations can make rational and efficient choices with regard to security practices. After the objectives for information asset protection are in place and choices are made about appropriate countermeasures, policies and procedures should be defined to put those decisions into practice.

How to Assess and Mitigate Information Security Threats
  Introduction
  Malware: The ever-evolving threat
  Network-based attacks
  Information theft and cryptographic attacks
  Attacks targeted to specific applications
  Social engineering
  Threats to physical security
  Balancing the cost and benefits of countermeasures

This chapter excerpt from the free eBook The Shortcut Guide to Protecting Business Internet Usage, by Dan Sullivan, is printed with permission from Realtimepublishers, Copyright 2006.

Now that you're finished reviewing these 7 tips, move on and review the rest of the chapter, or download the entire eBook.

BROWSE BY TAG Malware, Viruses, Trojans and Spyware,   Application and Platform Security,   Application Attacks (Buffer Overflows, Cross-Site Scripting),   Identity Theft and Data Security Breaches,   Enterprise Data Protection,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Application Attacks (Buffer Overflows, Cross-Site Scripting) Quiz: How to build secure applications Black box and white box testing: Which is best? Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Identity Theft and Data Security Breaches Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary