Recently in Economics of Security Category

The perils of security metrics

| No Comments | No TrackBacks
| More

Levels of spam are currently down, quite substantially. It's reportedly because a major source has gone off the air. But has the threat gone away? Unfortunately not. In fact, it illustrates one of the perils of over-reliance on security metrics. 

Do not dismiss metrics. Visibility is a cornerstone of security. You cannot manage security without sight of threats, vulnerabilities and events. Metrics are a natural development in this direction, as well as an obvious criterion for performance measurement.

But seeing should not imply believing. Many metrics are selected to achieve a bonus, to justify a business case, or to complete a security management framework. These are the wrong reasons for the enterprise, Security metrics can help identify and to justify trends. But events are subject to wild swings, often unconnected to the quality of the security management framework.

Given that the general trend is for ever-increasing security incidents, it makes sense to anticipate a world with greater incidents. But do not place too much reliance on real-time statistics. Every now and then, we will experience a quiet period. Do not be fooled. We are on a collision course to a world of information insecurity.

Economic incentives for cyber security

| No Comments | No TrackBacks
| More

I read that US Cyber Czar Howard Schmidt is scheduled to hold a meeting on Wednesday with Secretary of Commerce Gary Locke and Department of Homeland Security Secretary Janet Napolitano, where he is expected to discuss how to improve private-sector cyber security through economic incentives. The meeting is expected to consider tax, liability and insurance incentives among other steps to encourage industry to increase its network security.

It's an interesting development, reflecting the inescapable fact that smart intervention is needed to stem the growing threats of e-Crime, espionage and, inevitably, cyber wars and terrorism.  

Reading between the lines

| 1 Comment | No TrackBacks
| More

"Small and midsized businesses (SMBs) have a reputation of being somewhat lax when it comes to information protection... That's why the Symantec 2010 SMB Information Protection Survey is so surprising. It turns out that in the last 15 months, SMBs have become extremely aware of and focused on information protection."

So opens the latest research report from Symantec. It's one I find a little hard to accept because many claims simply don't ring true. The interpretation of statistics is also unconvincing, to say the least, as a claim that 42% of businesses have lost confidential or proprietary information in the past is immediately followed by a pie chart which shows that two thirds have not.  

When I read on, I find that around a third of SMBs claim to be extremely skilled in computer security and that they spend more money on security, back-up and DR than on general computing. They also lose on average two dozen laptops a year, and experience hundreds of individual security incidents each year, yet most claim never to have lost any confidential or proprietary data. Around half don't have a written DR plan, yet more than half claim to test it at least twice a year.

Is this really typical of small and midsized businesses? 

Passwords and the cost of security

| No Comments | No TrackBacks
| More

A friend of mine drew my attention to an interesting article on the Boston Globe website which suggests our security advice to users is (literally) a waste of time. The feature was prompted by the claims of a Microsoft researcher who believes that "Most security advice simply offers a poor cost-benefit trade-off to users". The article raises two important points, one correct and one misguided.

The first point it makes is that advice to users on choosing passwords is bad. Quite right: in my view we're addressing the wrong problem. It's not about choosing a single strong password, but managing a bulging portfolio of constantly changing ones. We need better tools to store and retrieve them securely. How difficult is that? Yet after several decades the cupboard is embarrassingly bare.

The second point is that user's time is money and should therefore be factored into the cost/benefit equation. Wrong: an extra ten minutes of my time costs nothing and earns nothing in real money. It's simply an irritation. No investment appraisal manager would accept a business case built on such imaginary costs or benefits.

As I've pointed out before, there are fundamental flaws in any attempts to quantify the costs and benefits of security. Investing in security is primarily a leap of faith based on an educated guess.  


The real economics of security

| 1 Comment | No TrackBacks
| More

The Internet Security Alliance (ISA) and the American National Standards Institute (ANSI) have just published a guide "The Financial Management of Cyber Risk: An Implementation Framework for CFOs". It's the latest in a series of attempts to advise enterprises on how to justify expenditure on information security.

It contains good advice, such as the need to focus more on the human factor. It also contains misguided advice, such as suggesting that a security budget can be based on annual loss expectancy. And it contains some downright bad advice, such as recommending that enterprises outsource the management of a crisis. It reads as though it's been assembled by researchers with limited experience of managing a contemporary security function, extensively quoting from published surveys, articles and methodologies, more than insightful case studies and tips of the trade.   

The unfortunate reality is that we can't calculate the cost of future security incidents. We can make a stab at estimating some of the cost of past events (though the information is hard to collect). But in today's fast-changing business, technology and security environments, no organisation has the knowledge required to assess the probability or impact of a future security incident. 

We can draw on figures from industry surveys (such as the average cost of a data breach) but many factors are not scalable or applicable to other businesses. There are differences between enterprise in the impact of a breach on lost sales, the cost of remedial action and the effectiveness of crisis management. These surveys can indicate general industry trends in the cost of security incidents, but not the likely damage to a particular business. 

Investing in security to reduce future losses is primarily a leap of faith. We can provide evidence of past costs and current trends to support a business case, but we should never treat this evidence is more than an educated guess. That, however, should not be a showstopper. Many aspects of business, such as the success of a new product or an advertising campaign cannot be reliably predicted. But it doesn't stop firms investing in them.

Most executive board members prefer to take decisions on the basis of sensible advice from an experienced expert who can be held to account, rather than a set of statistics. Estimated loss figures can be used to support business decisions, but they should not be used to determine them. A return on investment is possible with many security investments, but it cannot be reliably measured nor guaranteed. Regulatory compliance, however, is a perfectly acceptable investment appraisal criterion, and there's enough of that around to ensure appropriate investment. 

Law suits and data breaches

| 1 Comment | No TrackBacks
| More

One of the potential business impacts that should be factored into any risk assessment for a data breach of customer information is the possibility of a class action for damages. It's interesting therefore to note that a federal court in Missouri has recently dismissed a claim against a pharmacy benefits company over a data breach in which millions of customer records were believed to have been illegally accessed.

The plaintiff contended that he and other victims faced an increased risk of becoming the victims of identity theft. The case was dismissed because he failed to prove that his information had been used fraudulently. The plaintiff needed to prove that the injury was "actual or imminent, not conjectural or hypothetical." That clearly presents a challenge in the shadowy world of cyberspace, where concrete evidence is hard to come by, and frauds are likely to be based on multiple sources of information gathered over time.

Money in the Cloud

| No Comments | No TrackBacks
| More

I was intrigued to read that the equivalent of $144 million was traded in the second quarter of the year on the LindeX, the official currency exchange of Second Life. This growth reflects the increasingly virtual nature of money in an information age society.

I've long taken the view that, progressively, the most significant assets in an enterprise will be hard-to-value, intellectual assets, residing in perception, information flows and relationships. Safeguarding these assets requires a very different mindset and approach to locking up physical assets.  

Online banking security (or lack of it)

| 1 Comment | No TrackBacks
| More

Which? Computing magazine has just published a comparison of the leading UK banks' on-line security measures. The results are quite damning. Many top banks have failed to keep up with simple best practices that help to counter security threats from keylogging software.

But there's nothing new here. Banks might have plenty of valuable assets to protect but they've always been painfully slow in updating their security measures. What does come as a surprise, however, is the wide variation in methods used, which is remarkable for a sector with a 'herd mentality' selling identical services.

Security and banks

| 1 Comment | No TrackBacks
| More

According to recent research by Gartner, consumers regard security as the most important feature in online banking. That's a pretty obvious finding. Security is the cornerstone of banking. Unfortunately, that doesn't make it a competitive edge, as Gartner appear to suggest. Because we don't pick banks for their security. We pick them for their interest rates, or because their branches are conveniently located. And we expect all leading brands to be equally secure. In banking, security is a minimum standard, not a differentiating factor.

How many lost laptops can you justify?

| 2 Comments | No TrackBacks
| More

I was interested to read the figures published last week about the number of laptops that went missing last year from government departments. I've been tracking this problem for the past decade and have a reasonable perspective on what constitutes an acceptable rate of loss. 

Take Work and Pensions for example. Their minister Jim Knight reported that out of around 9,700 laptops used by his department and its agencies, 41 were lost or stolen in 2008, compared to 15 the previous year, but not as high as the figure of 75 for 2004.

Is this good? In my experience it is no more than an average performance. As I've said before, organisations should lose no more than a handful of laptops per 1,000 per year. In the case of DWP, that means less than 50 a year. 41 is neither good nor bad. 75 is a poor performance. But the figure of 15 is surprisingly good.

Of course not every organisation has reliable asset registers and incident reporting systems. So reported figures of losses should always be regarded as potential underestimates.  

About this Entry

This page contains a single entry by David Lacey published on August 7, 2007 12:02 PM.

Security Needs a New Direction was the previous entry in this blog.

Should Security Be Nasty or Nice? is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Archives

 

-- Advertisement --