Kudos to ANSI for publishing a free guide to calculating cyber risk.
Better late than never – thousands of security professionals in the world use the Microsoft Threat Modeling Tool and the popular free threat modeling software PTA, to calculate risk in financial terms – not to mention the thousands of other users of risk calculative methods from dozens of software companies like Palisade and Countermeasures.
The good news
It’s important that a standards body like ANSI endorse calculating cyber risk in dollar terms, directing their message to executives. Any CFO will want to see a brick and mortar calculation for justifying security investment – especially in today’s market where money is scarce and cyber-threats are abundant. I can appreciate the effort that must have been involved in getting Homeland Security Standards Panel (HSSP), the Internet Security Alliance (ISA) and dozens of industry professionals involved.
The bad news
The ANSI document has a number of fundamental flaws:
a. It doesn’t offer practical ways of building a cost-effective, prioritized program of security countermeasures, although it talks about the multi-dimensional nature of the threats and vulnerabilities in high-level terms:
The key to understanding the financial risks of cyber security is to fully embrace its multi-disciplinary nature. Cyber risk is not just a “technical problem” to be solved by the company’s Chief Technology Officer. Nor is it just a “legal problem” to be handed over to the company’s Chief Legal Counsel; a “customer relationship problem” to be solved by the company’s communications director; a “compliance issue” for the regulatory guru; or a “crisis management” problem. Rather, it is all of these and more.
b, An additional problem with the ANSI document is that it doesn’t a practical risk-calculative method for real life. In a real business the risk calculation is a complex multi-dimensional interplay between threats, vulnerabilities and security countermeasures that simply cannot be performed in a 2 dimensional Microsoft Excel.
c. The real failing of the ANSI method is totally ignoring that risk is caused by damage to assets. Although the document mentions assets: physical assets, digital assets (that if stolen are really copied…) and intangible assets (such as company reputation) – it does not acknowledge that assets have financial value. Any CFO worth her salt, will be able to make a reasonable judgment of corporate cyber asset asset: for example, availability of the Oracle Applications Financial reporting system at quarter-end or intellectual property such as mechanical design files of products that the company manufactures.
It’s a step in the right direction, but late in coming and lacking in scope. I hope that the document will receive wide distribution – it’s well written and easy to understand - most executives should have no problem relating to the material and adopting and adapting it to their business situation.