I’ve been doing a lot of research into the actual and potential impact on a business of various types of security incident and trying to work out how the various statistical models and other data might fit into my own organisation. It’s no easy task because information security incident reporting is very much an ad-hoc business at best and historical data is fairly limited.Some of the easiest to digest research has been performed by the Ponemon Institute and there have also been many papers presented at the various Workshops on the Economics of Information Security amongst others. The general conclusion is that security breaches generally only have a significant financial impact if they involve a breach of confidential data, and that even in this case the effects are likely to short-lived. In fact I can cite various incidents that made the popular press over the last couple of years that support this conclusion. However, if you are operating within an organisation that is increasingly placing more eggs into the Internet basket and as a consequence increasing your risk exposure does the research still hold sway?
My thoughts are that it might do for a single incident, but what about subsequent attacks and breaches? When we consider risk, I’ve learnt that we should not only think about the threat and vulnerability, but also about the cost impacts. Those costs are generally operational (i.e. fixing the problem), revenue related (i.e. how much business did you lose as a result), and the impact on the business reputation- of course, a loss of reputation can also have indirect consequences on revenue.
So, while you might survive a single event with a short-lived negative impact on repution as suggested by the research, it is likely to be true that for each subsequent event the effect on reputation will be more severe. So far we’ve not seen examples of businesses being affected by multiple publicly disclosed data breaches (that I’m aware of) and so can’t prove the theory or otherwise but it’s certainly something I’m keeping in mind as I plough through a variety of different risk assessments and consider the true impact both on the products concerned and on the business overall.
The reason this is important is because the risk management plan designed to mitigate product related risks has got to be something that contains realistic, achievable and measurable objectives. But how can we measure success against events that we don’t know about and might never happen? It’s the same old security conundrum and it’s the reason why we must have more historical data available in order to make our risk modelling more objective. There’s no easy solution and it keeps coming back to the fact that we are forced to make decisions that are based on our own best judgement.