Q
uantity or quality - that is the question!
There is a great deal of debate between the supporters of quantitative risk assessment and the supporters of qualitative risk assessment in the security and compliance business.
The qualitative people say that since it is impossible to estimate risk as an absolute number such as “87 percent probability of your customer data being stolen by an angry employee”, they would rather rate that risk as “high”.
The quantitative people say that risk is a function of threat, ARO (annual rate of occurrence) and percent damage to the asset. If the annual rate of occurrence of an attack is twice/year on the average and the percent damage to a customer list is 10% of its value, then the risk of your customer data being stolen would be 2.0×0.10 = 20 percent on a yearly basis. The qualitative folks are quick to retort that it’s impossible to estimate ARO, since most organizations don’t collect historical loss data for security and compliance events. (This is actually a good case to start collecting data now…) They also claim out that it’s impossible to accurately estimate the value of an asset such as a customer list in dollars (need to ask the right person – like the CFO…).
Since I am a physicist, I must say that I am biased towards physical models that can be calculated and observed. I would start with three assumptions:
1. The estimated value of an asset is analogous to it’s momentum mv, the product of its mass and velocity. A very large database of 10 year old customer data that was archived in the Colorado Rockies might have a large mass but almost zero velocity and therefore low value. If the database had 100,000 transactions/day then it would have a high velocity, correspondingly high momentum and high value. Note that this model runs counter to all privacy regulation but I think it holds water from a practical perspective. No one ever said that our legislators were good at physics….
This physical analogy leads to some interesting conclusions. If an attacker were to steal 10 million customer records from the archive in the Colorado Rockies – the dollar value of the damage would actually be low in this model. On the other hand, if political attackers were to access the flight details of only one passenger name record, the damage might be very high if it was disclosed that a US presidential candidate called Barack Obama, was using frequent flier mileage to get away for an intimate weekend with Janet Jackson. Or not…
2. The ability of an attacker to damage an asset is analogous to the force it can exert on the object we call an asset.
3. The ability of a security countermeasure to protect an asset is analogous to the force it can exert on the attacker.
Observed from an inertial reference frame, the net force on the object (the asset) is proportional to the rate of change of its momentum F = d (mv) / dt.
Force and momentum are vectors and the resulting force is the vector sum of all forces present.
Newton’s Second Law says that “F = ma: the net force on an object is equal to the mass of the object multiplied by its acceleration.”
If the attacker manages to decelerate the asset to v=0, then the momentum of the asset is zero and it has been rendered inoperative. In a case like this – the damage to the asset is 100%
If the asset runs faster than the attacker or another force (a security countermeasure) deflects the attacker, then the asset momentum is unchanged, and damage to the asset is 0%.
This simple-minded physical argument shows that risk is indeed a dependent variable;
Risk = the vector sum of the forces of the attackers and security countermeasures relative to the asset.
As in physics, we must observe and collect data if we want to be able to calculate risk.
1. Asset value (momentum)
IT security and compliance people should ask their CFO how much the asset is worth in dollars
2. Attacker force relative to the asset
3. Countermeasure force – relative to the attacker.
No one said it was easy – which is why not everyone is doing quantitative risk assessment. But – that’s why we’re getting paid the big bucks – to calculate risk to the best of our abilities.
References:
High School Physics – Newton’s Laws
Risk assessment – Practical threat analysis calculative method
information risk assessment…
safety inspections…