Problem solve Get help with specific problems with your technologies, process and projects.

How to quantify business risk exposure to malware

How safe is your enterprise from data-stealing malware? How can you know where your security program falls short? Find out how to gauge enterprise risk exposure to malware in this expert response.

According to a recent vendor report, businesses risk losing billions of dollars to malware that steals sensitive data. Are there any metrics I can use to quantify my company's level of risk exposure to our executives, i.e. how many employees we've laid off recently or locations where our data is stored?

I tend to be pretty suspicious of vendor surveys as they are inherently biased. But regardless of the numbers in the survey, the vendor has a point, which is that companies are increasingly at risk of losing their data, whether from malicious insiders, random theft of equipment (as in stealing laptops from cars), lost USB drives or targeted and untargeted malware.

The initial metrics you propose are a great start. Also, compare your company's rate of laptop loss to that of the general public to see if it's something to be concerned about. For reference sake, a recent article in Fast Company revealed that approximately one laptop gets stolen every minute, and more then 12,000 go missing each year in airports alone. It's important to not only look at the raw numbers, but also at who in your organization has laptops and what sort of data they carry on those machines.

In the end, this isn't really a metrics problem per se, but rather a risk assessment/risk management problem; though the metrics will help inform your decision. That is to say, metrics tell you where the company is today and can potentially predict where it is heading, but without context, these metrics don't actually tell you if you are in bad shape. Risk assessments give that context by taking those metrics and explaining how relevant they are. For example, one metric may show that laptop thefts are up 400% this year compared to last year. That sounds really bad, but if it means that in 2008 you lost five laptops instead of 1 and the company owns 20,000, then reducing the laptop theft rate may not need to be your highest priority -- unless all five laptops belong to the CEO or other senior executives.

Similarly, just because the number of security incidents has gone down in an organization doesn't mean that it's better off, if the incidents that did occur were much worse. By implementing proper risk management guidelines, you can effectively evaluate these metrics and appropriately prioritize your resources accordingly.

There are a lot of good risk assessment/risk management frameworks out there. My personal favorite is FAIR, but others include OCTAVE, SOMAP and even an emerging ISO standard.

FAIR is my favorite, largely because it provides a simple, easy-to-use mechanism for communicating the inherent probabilistic nature of risk. However, any of the above frameworks will get you where you need to be.

Regardless of which framework you choose, you need to know where your data is and where it's going. Once you understand how the data is moving, the rest of the analysis isn't too bad.

Next Steps

Learn more about the role information security plays in fraud prevention

Read more about failure mode and effects analysis for process and system risk assessment

This was last published in February 2009

Dig Deeper on Risk assessments, metrics and frameworks

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.