(Joseph E. Henderson, CSP, is IT Specialist at the Office of Information Technology for the Department of Veterans Affairs.)
Everyone uses risk management daily. The measurement and use may be very obvious, such as the threat posed by a speeding train. However, the hazard posed outside the train is naturally more profound. Those individuals inside the train have some vulnerability, but it is mitigated to an extent by the professional operators and mechanisms used to control the train. So your risk is less inside the train, than outside the train. This is an example of mitigating risk by professional regulation of systems or environment.
How do we measure the actual probability of exposure to real world liabilities and threats, as balanced against presumed or assumed liabilities? Flying is actually a very low-risk scenario when logically examined. Some would say driving is a much more dangerous means of travel. So, assumed or presumed, threats are not always valid concerns.
Can we balance the actual risk of exposure? The equation would be forced into the highly probable range in some cases. Some IT systems could have daily releases intended for defense of systems and data.
On the other hand, examination of other platforms or software could show it is much less likely to fall victim, and the equation is weighted in the opposite direction. Balanced against actual probability, the risk may not exist to be mitigated. Overkill or misdirection of resources could result from over examination of security exposure, where no or little exposure exists.
Below is the AMIS (Accurately Measure Information Security) Algorithm:
In example: (X+Y) x Z=R
X = Risk of attack, which is developed from actual attack figures supplied by industry.
Ranked 1 through 10 where 10 would be equal to very likely to be attacked or actual attacks take
place daily. A zero would indicate no attacks have ever taken place.
+
Y = Number of evasive maneuvers required to divert attack (i.e., firewalls and anti-malware).
Ranked 1 through 10 where 10 is a heavy concentration of necessary defense measures. A zero would indicate none are required.
x (multiply)
Z = Value of data to be protected. Is there personal or valuable information to be secured? We may say
a value of 5 if populated with personal or valuable information. On the other end of the spectrum, a
value of zero would be given in the absence of personal or valuable information.
=
R = Result or risk, given that a maximum number of 100 is high risk and zero would be no risk at
all.
Example 1. Undefended personal computer risk exposure (10+10)x5 = 100
X = 10 (multiple daily attacks are likely)
Y = 10 (undefended systems are probed and attacked within seconds of internet connection)
Z = 5 (personal information stored on the device)
R = 100 “High Risk”
Example 2. Undefended LAN switch risk exposure (1+2)x0 = 3
X = 1 (no exposure to little exposure to attack)
Y = 2 (little, if any, ability to attack a LAN switch device except perhaps to corrupt a configuration)
Z = 0 (no capability to capture or store personal/valuable information)
R = 3 (extremely low risk)
A higher number reflects more security is required.
• 100 <- The risk is high so extra measures are warranted.
• 90
• 80
• 70
• 60
• 50
• 40
• 30
• 20
• 10 <- The risk is slight so we may refocus our efforts to other, more vulnerable areas.
An attempt to protect everything, even that which requires little or no protection, is not cost effective.
Data center security of the core operating systems could be increased by several orders of magnitude, making them individually and collectively equal to a virtual data Fort Knox. This would be possible by enabling the entire security suite available under most C2, or higher, certified operating systems. We could have a net deficit risk, where intrusion could be extremely unlikely.
AMIS says measure the risk and meter the effort.