Value-based infosec

 

This week in an ISO27k Forum thread about selecting information security controls from ISO/IEC 27002, Ross told us "cost is always A factor, however more accurately, the "Cost-Benefit Ratio" may become a deciding factor. A general principle is that the cost of implementing a risk treatment should never exceed the value of the asset being protected. Determining the 'value' of the 'asset' might be tricky (e.g. impact to brand value when considering consequential reputational risk), however someone within an organisation often has an view on this value."

Clearly security controls should save more than they cost, hence in theory organisations should only invest in, operate and maintain controls that are valuable ... but in reality, value-based information risk and security management is far from straightforward.

For starters, we have no choice with some controls: even in a greenfield situation such as a high-tech startup, the very act of designing and building the company depends on a raft of governance and management controls.

Next consider the costs. Controls have lifecycles incurring costs at every stage, starting even before we develop or procure them since someone has to determine the requirements, then specify and search for solutions, then implement and configure them. Once operational, there are costs associated with using controls, plus generally they need to be monitored, managed and maintained, and perhaps eventually retired or replaced. Assigning substantial resources to the controls implies opportunity costs i.e. other investments, spending or saving may be more economic. Being tricky to measure, it is tempting to ignore these costs, lumping them in with all the other costs of doing business ... which may explain the failure of some kinds of control. Complex controls, in particular, require significant care and attention to keep them operating efficiently and effectively. They are rarely fire-and-forget.

Thirdly, consider the benefits. Information security controls rarely eliminate information risks: usually, the best we can hope for is partial mitigation - reducing the probability and/or impact of certain types of incident - and even that is uncertain without associated controls such as monitoring, compliance and assurance. What is the $ value of reducing information risks? If a given control had not been selected and put into operation, how costly would any corresponding incidents have been? How does one even value the protection afforded to brands, reputations, relationships, intellectual property, privacy and lives? Ultimately, due to the next factor, it could be argued that the entire value of an organisation depends on virtually all of its security controls ...

Fourthly come the complexities of the mesh, framework, system or architecture within which individual controls operate. Few if any controls are totally standalone, operating independently of all others, aside from some academic's theoretical models anyway. If a given control is missing or weak, other controls may - or may not - take up the slack, mitigating the risks in other ways. Some (most? All?) controls actually create or increase risks while mitigating others. It's all very well promoting the concept of defence-in-depth with multiple overlapping layers of control, but that creates interdependencies which may even destabilise the whole construct, toppling our house of cards.

Fifthly comes yet another tricky factor: dynamics. Just as the 'control universe' is constantly changing, so are the information risks that the controls are intended to mitigate (thanks at least partly to controls!). Threats are inherently hard to identify and assess, let alone quantify. Vulnerabilities can remain unrecognised and dormant until/unless exploited by threats, causing impacts that can ripple way beyond the information risk and security management function, affecting other organisations, individuals and society at large.

And finally, as if that's not enough already, we have information risks associated with the information risk and security management process itself. Given imperfect and incomplete knowledge of a complex and dynamic situation, we cannot be sure of the net value of our security controls. Given finite resources (budgets!) and capabilities (including our analytical and decision-making capacity), plus competing priorities and other pressures, the extent to which we direct, monitor and control information risk and security activities is limited ... hence partial or complete failures are almost inevitable. Despite our very best efforts, information security and privacy incidents still happen, and with hindsight we can usually point to weak or missing controls that should have prevented them. 

Although hindsight has some value,
it is trumped by foresight.

Since forward-thinking value-based information risk and security management is evidently so challenging, what are the alternatives? A few possibilities spring to mind:

• The do-nothing option. Don't even attempt to 'manage' information risks. Ignore the whole thing and hope for the best - at least for the duration of your tenure. 
• Security engineering relies on a structured, systematic approach such as that recommended by ISO27k, SP800, COBIT and other standards and methods: it means being methodical and rational, analysing and deciding things in a considered and justifiable manner.
  
• Compliance-based security involves doing what is formally required, and perhaps no more. A significant problem with this approach is that compliance obligations are mostly imposed on us by third parties to address their requirements, regardless of ours - like, for instance, making a healthy profit, staying in business or having a private life.*
  
• Best practice security is, for many, an attractive shortcut. Rather than even attempting to figure out an optimal approach for the organisation, they simply run with the herd, implementing 'typical' controls and 'market leading' security products. It's tempting to poke fun at this, pointing out how inefficient and ineffective it can be. On the other hand, lame though it is, it is also fairly quick, easy and low-cost compared to the analytical value or security engineering approach I have been describing. It is, arguably, better than nothing, and better than other suboptimal approaches.
  
• Expert guidance means seeking professional advice from experienced, competent specialists in the field, like me for instance. Much of my advice is free, including this blog and other social media musings and website content, but clients have the advantage of more in-depth, focused analysis and recommendations tailored to their specific requirements.
  

On reflection, it occurs to me that these are complementary rather than alternative approaches. They all make sense under various circumstances - in other words, they all contribute to value-based information risk and security management. I commend them all to the house - yes even the do-nothing one. With a long weekend ahead and blue skies above, I have better things to do than sit here blabbering on about this stuff. How about you?

 

 

* Or, as Gideon Rasmussen put it, "Be mindful that external requirements are biased towards the governing body versus the interests of your organization. For example, the PCI Data Security Standard is focused on the security of payment card data. There are no requirements for disaster recovery or business continuity. The card brands do not care if your business goes under, as long as their payment card data is secure."  Thanks Gideon, well said sir.