Interview: Dino Dai Zovi explains his methodology for quantifying risk. - Information Security Magazine

Interview with Macbook Hacker Dino Dai Zovi

Dino Dai Zovi, one of the men behind the MacBook hack at last year's CanSecWest conference, is a respected researcher, and that's just in his spare time. By day, Dai Zovi is a security professional in the financial services industry, where he's knee-deep in the movement toward quantifying risk in an organization.

DINO DAI ZOVI


What can you share about the risk scoring system you're working on?
It's based mainly on the Common Vulnerability Scoring System. I previously had a homebrew system, but I found having things standardized, with vulnerabilities coming pre-rated from vendors, made my life easier. What I really cared about was scoring them for my environment. Doing the research into a vulnerability provided a flexible framework for me to model less specific vulnerabilities, as opposed to specific security product vulnerabilities. It allowed me to model larger vulnerabilities in that same system.


Are you seeing security moving toward a risk management function in the financial services community?
I've seen a fair amount of financial institutions adopting that stance, where banks are actually moving their security teams under their risk management umbrellas. Some large organizations were some of the early movers and are interested

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

in quantifying security risk, just as they do with trading risk. It's very analogous to analyzing your risk based on certain market forces and doing what you can to mitigate that risk or measure how much risk you want to take.

On the information security side, if you can quantify risk and compare that to the cost of dealing with security incidents or the likelihood of them happening, you can choose your risk threshold and exert the appropriate amount of remediation effort that's in line with that risk tolerance.

Security risk models are nowhere near as robust or proven as financial risk models, so at this time the information security practitioners have the best knowledge of the field to be able to assess this risk.


Do you think this is a good trend?
I think so. I think what it will eventually lead to is finally answering the question of how much security is enough.

I think the industry as a whole will be served when we have better anonymized data on incidents. Companies are often very reluctant to share data or even the fact that there's been an incident. So if you have more data on how often these occur and other points, we can basically estimate, based on our size and our business profile, there's x-percent chance of a customer information leak. And based on how much it would cost to prevent that leak, we can choose whether we want to take actions to remediate that or just run with it.


Read the complete interview at searchsecurity.com.

This was first published in March 2008