This article can also be found in the Premium Editorial Download "Information Security magazine: Reviews of six top Web application firewalls."
Download it now to read this article plus other related content.
Dino Dai Zovi, one of the men behind the MacBook hack at last year's CanSecWest conference, is a respected researcher, and that's just in his spare time. By day, Dai Zovi is a security professional in the financial services industry, where he's knee-deep in the movement toward quantifying risk in an organization.
DINO DAI ZOVI
| in quantifying security risk, just as they do with trading risk. It's very analogous to analyzing your risk based on certain market forces and doing what you can to mitigate that risk or measure how much risk you want to take.
On the information security side, if you can quantify risk and compare that to the cost of dealing with security incidents or the likelihood of them happening, you can choose your risk threshold and exert the appropriate amount of remediation effort that's in line with that risk tolerance.
Security risk models are nowhere near as robust or proven as financial risk models, so at this time the information security practitioners have the best knowledge of the field to be able to assess this risk.
I think the industry as a whole will be served when we have better anonymized data on incidents. Companies are often very reluctant to share data or even the fact that there's been an incident. So if you have more data on how often these occur and other points, we can basically estimate, based on our size and our business profile, there's x-percent chance of a customer information leak. And based on how much it would cost to prevent that leak, we can choose whether we want to take actions to remediate that or just run with it.
Read the complete interview at searchsecurity.com.
This was first published in March 2008