Risk and Security: how much to spend?


Monday, May 30, 2011

Risk and Security: how much to spend? (intro) – 001


When I’m talking about security with customers, partners or at an event the first question I usually receive is how much this will cost to me?
This is an understandable question, costs have to be monitored and expenditure have to be planned wisely, the problem of how much I can spend on security is a quite interesting topic.
The problem, alas, is that usually IT managers do not use a clear model when planning investment in security but seamed to be attracted more by strange inner believes than aempirical analysis of cost and benefits.
Another point that I’ve always found quite curious is that I’ve been asked lot of times theROI of a security implementation, while the only parameters taken in account are how much I will spend now and how much I would spend the next “X” years.
So I’m wondering if it is really possible to understand how much i is worth to spend for security.
The first point I take in account are postulates:

The first one is quite simple, no matter how much you spend you will never be able to avoid any risk: perfect systems just simply does not exist. you can transfer or mitigate a Risk, but the risk itself does not disappear.
the second point means that is really hard to understand what happen and the impact of a risk. eve if we’re talking about a simple field like information security there is not an enough lever of understanding of what really happen. Dealing with risks and relative costs should involve the impact a risk can have on a business, and the aspect of this impact are, partially, unpredictable because partially depends on external factors,externalities and the unpredictable human behavior.
So does this means I should not care abut security? On the contrary this means that this is a quite difficult exercise, and more study on this would be appreciated.
Let’s start with some considerations:

So why I need security on my IT networks?

The main reason we should secure our networks is because our networks are used to let our company make profits. Without our networks we would not be able to handle data, communications, business process and so on.
Networks are not just a silly benefit or a luxury optional but are an integral part of our business, we live in an interconnected world, we like it or not, and networks are the instruments we use to reach our customers, sell o buy things, works and communicate.
Networks are also used for personal fun and most of the tame, nowadays, the same tools can be used to work and leisure make vanishing the differentiation between the two.
As IT networks pertain to business, it pertains also to human behavior, so we have to take in account business needs as well as human needs.
If we cannot expect that someone works 24\24\365 without losing concentration or productivity, as well we cannot expect to increase productivity if our systems upset their users.
So our IT networks and their components are a foundation for our business and personal relationships. this means they will be used to process data that are valuable, and a disruption of the service provided could result in a loss of money.
What I’m talking about? I’m talking about your laptop that you use for work and to play or watch movies, your smartphone, your internet browsing, your Skype and your VoIP, your teleconference and videophones, your email, your home internet connection, yourmobile internet edge connection, your iPad, your iPhone, your android Samsung ace ….
Everything that is under our experience is, somehow, related to IT networks and data processing.
But if IT networks are such a relevant part, and if over network we pass such a great amount of data we need to do something to protect the reliability of the service provided and the data we exchange through it.
So make sense to consider some money for IT security, but how much and what this means?
Of course there are several consideration to take in account when we talk about security, and a network design should implement by itself most of the security related issues: for example all the stuff related to HA, redundancy, performance and management are common fields for networks designers and IT geek.
So a network should be fast, reliable and friendly to manage. But since our networks should be used also by users for business transaction and more, should be understandable, usable and the closest to user proof as possible (someone once told me that IT networks without users would have been perfect, although, he agreed, quite useless). The user experience is not secondary, but is one of the most important factor related to security and productivity (yes both).
Another important consideration: network is not for IT gurus or IT geek or Hacker and stuffs, so stop to consider user like morons (ok sometimes the seems to be, I admit it, but usually they give the same feeling also in other life and work field), they’re the reason of our incomes Smile.
The need for security is not so far away form the need of a network itself, security is just one of the aspect and so should be take in account also during network design, but at the end security has a relevant impact on our activities.
What would you think if someone else read your email? or if someone read your credit card transaction to steal you money? or if your e-commerce site would be taken down? or if your customers would be affected by something taken in your site? or if your employees data would be stolen? or if your network would shut down for some reason?…
those kind of questions are deeply related to security issues, this is security.
So it is quite simple to understand, the problem is how much make sense to spend? what I need to implement?
The answers usually are: the less is the better, well I will never allow this in my network, and do I really need it?
Wait is this an answer for something that seems to be so important? The problem is that network owners and managers are usually not involved in business procedures as well as in human behavior. Is just recently that security start to consider the human effect on decision and risks (not only in IT I have to say Smile).
Bit if the network owner is not involved in business process, at the same time the business owner are not involved in network design, so to make them understand each other use a media: money. Everything have to be converted in how much I spend and the ROI related.
Let’s say I do not like the ROI, is something really difficult to calculate, and what is worse, usually the most important parameters are not even taken into account. But anyway a good IT manager should be able to translate needs into money to allow the other managers to understand what he is talking about. To convert IT security into money is an extraordinary difficult effort, because (remember postulate 2) I never met anyone who is able to estimate correctly the profit and loss of an IT departmentHot smile.
Let’s take some real examples to understand what I’m talking about.

Sony security approach

Consider Sony Hack, the did not spend quite anything on security to secure their networks. the reason has been, obviously, that they estimated the risk exposure and the damage of an hack quite insignificant. alas the made a mistake and this would cost them a lot of money in terms of loss of profit for the days the network has been closed (direct loss), costs of recovery, cost of image (that at the moment I’m not able to predict but considering the coverage this hack have had I should say will cost a lot), legal cost for customers that will sue Sony….
So the network managers have not been able to explain the need of securing the networks, and I suppose this has been related partially to the fact they didn’t have a clear vision of the business model they were implementing (as well as the other managers I should say).
Do they analyze the impact of this hack when they were designing the PSN network? Do they make a risk assessment considering the loss (direct and not direct) related to such stop? I don’t think so otherwise they would have bought at least a firewall and implemented patch management strategy Smile.
I can hear their thoughts before the hack: “But, come one is just a game platform, and we need to make profit and cut costs, so why we should care about security,just marketing. we do not need it what could happen? some kid playing for free? does not worth the cost.”
As well as their thoughts after the hack: “how the hell this could be happen? nobody told us anything, someone (else) will have to pay for this. … We did all possible we could not imagine something like that (sic)…. Hack? what’s hack? …”

  • Was so hard to suppose that someone could have broken into the network? (a global one. and well known)
  • Do they really didn’t realize that they were processing sensible data?
  • Do they really thoughts that recover form an hack would have been quick, easy and without consequences (or minimal ones)?
The RSA way

On the other way is not assured that if you have great skills on security you’re invulnerable, as RSA hack showed us. Come on this is a security company that has been hacked in one of the most protected networks because of someone leverage Human behavior with spear phishing email, social engineering and some good hacking work.

  • were they expecting someone would have been able to force their defenses?
  • did they prepare a public communication schema to address public and customer concerns?
  • did they put in place countermeasures to protect they customers for risks related to this data loss?

So even if we feel confident we can be fooled. either if we put in place security or not we can be hacked. So it does not worth to be protected?
Those two examples are extreme situations, but most of our networks (all of them actually) could fall in between those two extreme.

The others does not feel better:

Lockheed Martin, Honda, Toyota, Epsilon, Vodafone, Word press, Google, The Gawker media…do you have to name more hacked reality or this is enough to make you feel I’m talking about something real?
Don’t considering correctly security could be damn expensive, those days events are full of those example.
So is there a way to make a guideline to understand the first brick of our security wall? How much would I lose if I don’t put security in place? and what I need to address correctly a problem? And what are the risks I can be exposed to?


Friday, June 3, 2011

Risk and Security: how much to spend? (intro and more :)) – 002

Hot smileBasically the problem for an IT manager is to understand how much money he can ask to company management for security.
Well the aspects to take in account are several, the idea is to put an insurance onbusiness process to allow continuity and minimize money loss. Apparently this is an easy task, but it is an exercise that usually IT managers don’t do.
Again we can take as an example the Sony affair, the PSN networks was used to generate revenue, and the hack stopped those revenues.
We should try to ask to ourselves: how much would this kind of security incident cost?
we have different elements that could be taken in account:

  • What is the value of the process I’m trying to protect?
  • How can I estimate is the direct loss related to the security incident?
  • Are there indirect loss related to the incident (image loss, customer disaffection, credibility loss…)?

Once we have outlined all the questions we should be able to define somehow the king of security outbreak we’re trying to address and the relative process to secure it.

What is the value of the process I’m trying to protect?

It is not so easy to define the value of a process, we know that if we are selling a good we earn something, so we could assume that the value of tis process (selling a good)is just what I get in terms of money – the money I spent to make the sell.
Alas in a world where data trust and communication are valuable this is not enough. How much the PSN Sony network was valuable to Sony? just only related to the money they directly collected? or there were some externalities that should have been taken in account?
As a good exercise we could try to understand the value of something just trying to consider what happen when I got a problem.
So I have the PSN network up and running, after the hack I have had to face the direct costs, the money I did not received during the stop. but then I have had to face cost related to the hungry customers so I offered something to them to make them calm down…
wait I have to make customer happy again?
This means that the value of a service is not only related to the direct revenues, but also, just as an example, to the image value that this service is providing to the company.
There are factors that rise the value of a process that can be indirectly related to the process itself but can have a strong impact in case of failure or security incident. Customer satisfaction, trust, image are just a few.
How much worth a process is outside the scope of this article, but I wanted jut to make you realize that things are not so easy at it could seems. At the end some values are just determined by a good dose of guessing Smile. We are not able to determine how is the real value, but we can make some assumption and create a target value indicator that we can use for any further analysis.

How much can I afford to loose?

Once we’re able to determine somehow the value of something we should try to evaluate how much we can afford to lose of that value.
So, for instance, assuming that a service provide me a net value of 100\day once I’ve taken out all the related direct and indirect costs, how much I can loose without forcing me to close?
Let’s say I have to stop the service for some reason, will this be acceptable? and if it is acceptable how much this service can be down without affecting my activity?
so if I have 100\day I can think in a month to have 100 * 20 working days = 2000 net income
a day off will cost me 100 (I’m over simplifying, I know) .
if I stop for 5 days a month means that I would lose 500 so my net income would be 1500: can I afford this?
There is not such a standard answer, it could be yes I can or it could be no I can’t.
If I can afford the loss basically it makes no sense to address the 5 days stop problem, and maybe I can concentrate on the >5days stop problem.
What we have here is a way to measure how much money can be related to a certain problem. It does not make really any sense to understand, at this level, what can cause the problem, we’re just trying to understand the effect of the problem no matter what is the cause.
Just to translate this in terms of Systems engineering this means: would it make any difference if the service stop is due to a broken disk, a server HW failure, a software failure, a network failure or a Dos attack?
Quite not really the result would be systems down.
The best baseline I can create the best consideration I’ll be able to do, and some empirical experience is usually a good indicator, that means managers lot of time understand the value of security AFTER they have been punched (PSN affair teach Angry smile).

Risks % and Murphy’s law

We know now that we have a process that is valuable, and we know that if we have a problem it will cost us a certain amount of money “X”, and we know that we can afford to loose “nX” money for “n” incidents.
The next step is to be able to understand (or guess) what is the risk that the event X happen to me.
we have, basically, 3 possibility

  • 0 chances that the incident comes so no blocks at all
  • 100% chances that the incident happen and block me 100% of my time
  • something in between

The first possibility is simply not to be taken into account. Murphy’s law teach us that if something can go wrong it will, and this is basically truth for any engineering process. There is nothing that can be perfect and invulnerable, even Superman has his low moments. This means we cannot be sure that we will never see a problems, but does not means you will see it Smile.
the second bullet refers to a condition where you are 100% sure that the process will not work, this case is worthless to spend time dealing with this. If I’m sure it will not work I don’t need anything else Party smile.
So we’re somewhere in between, the only thing we know is that we’re vulnerable Smile.
Recap the steps done till now: we know our process is valuable, and we know that we can convert this value in money terms so that the rest of the managers can understand it.
We also know how much will cost us a “general” security incident in terms of missed revenues and how much we would be allowed to loose without affecting the business.
What we need now is to understand how many chances I have to be affected by the incident. we know that this is an exercise of black magic Angel
the best way is to call the dark forces of evil and ask them what are their plan for the next period of time. Alas since they’re forces of evil it is hard to have a good answer, and so I think we should take some other ways to try to do this.
The best way usually is statistics, baselines, and expertize.
We usually know that a disk chance to broke is generally low, mostly because by design we use redundant raid systems, as well for software and HW server failures we usually have this kind of prevision. but for a denial of service? do we actually risk? how much?
the answer is, again, not so easy, take in account the process you’re trying to protect, the things that could be valuable for any external source, the risk trends, the visibility of the company and so on.
While the risk of being hacked was considered very low in Sony they did not realize that there were at least 3 factors that would have been taken into account:
1) the hack was a way to reach something valuable : user information, email, and credit cards.
the way someone value a data can differ from it’s owner, email are not considered so valuable if you’re not a marketer, but if you’re a spammer they worth the hack.
2) the Sony name was a big name and this would have turn all media and expert eyes on the hack itself, this would have magnified the damage in terms of image, as well redirecting other hackers onto the target that showed such a big vulnerability.
3) Sony was dealing with some hacking problem related to the PS2 hacking code, and was exposed for its strict comment on internet piracy. this would have expose the brand also to acktivism and not only cybercrime.
Just considering those 3 factors would be clear that a hack would have been possible and probable.
This is something we should think more, we need to protect our asset because they’re valuable for us, this does not means that someone outside would not find something else valuable even if we do not consider it worthy.
Sony as been hacked because hacker found something valuable that Sony managers were not value, this increased the risk of a security incident as well as the repetition of it.
Assuming we are so smart to understand the % of risk an incident can happen we have enough element to start to understand how much worth security and so how much we should spend on it.


Thursday, June 9, 2011

Risk and Security: how much to spend? (intro continue again:)) – 003

Drawn in Autosketch + pasting in words from Excel

Image via Wikipedia

Let’s do some math

If we did our homework’s and follow the simple steps provided in the two previous posts we have now some elements to make some guessing,

  • A – We know more or less how much worth our process
  • B – We know more or less how much would cost us a single incident
  • C – We know how much we could loose if the incident hit us.
  • D – We know that there is some % risks that the incident will hit me.

Alas those are not static value but functions that changes during time and are strongly related to what happen at the border, the equation able to describe the relationship between all of this elements and the external worlds are out of the scope of those articles (come on tis is an introduction Angel)

So basically we are now in the process of building our insurance based on something we will negotiate internally to our team and with the management.

The idea is that I want to spend some money in order to address the incident, and I want to do it to, basically, do a couple of things:

  • Lower the % of risk the incident will hit me
  • Lower the cost of the single incident

It is clear to me that we have a couple of considerations to take in account.

The security expenses cannot be higher or equal than the value we can loose. It’s worthless to protect an asset spending a bigger value than the value of the asset itself.

this means that the Total Cost of Security (TCoS) cannot be higher of C (I know it does not exist but I love to create those sort of things Hot smile sound so professional Nyah-Nyah)

TCoS << C

At the same times we know that TCoS is related to the value D and the kind of security incident (Can I call it SI? Rolling on the floor laughing) basically TCoS can be represented by a function of some variables:

TCoS=F(C, t, SI)

where t is the time.

Basically TCoS is the highest amount of money I can afford to pay to protect my process. but we know that this is a target value and the management will newer allow to spend this, so we will have just a fraction of this value, let’s call it the Available Total Cost of Security (ATCoS).

We will have that ATCoS << TCoS so basically the amount of money we will be able to allocate for security is just a small fraction of what we should spend.

Why ATCoS is sensibly lower than TCoS? The basic reasons are related to the:

  • great dose of guessing that we use to determine A, B, C and D functions.
  • negotiation with the management in order to allocate resources
  • a usually very low understanding of the implication of security in business
  • some strong cultural barrier to understand the impacts of new technologies
  • bad capability to present the value of a solution in understandable terms for the management
  • mix of allocated security resources in different departments and

Of course I strongly doubt that there is any IT man that create it’s own Total Cost of Security function so we usually use some empirical experience to guide us and some easy rules:

  • 1) the less is the better
  • 2) the less is the better
  • 3) they will never give me what I need
  • 4) they do not understand
  • X) have I told the less is the better?

Some tricks can be used when trying to define a security budget, the first of all is to find a sponsor, and marketing usually is a good resource. We should be able to point out the risks related to the image and the bad influence that some security risks can have.

think again at Sony affair, but also to Honda and the other big firms that have been targeted recently.

the second trick is to be aligned on what is happening in the security space in the world.

You do not have to be a guru, just you need to find good and impressive events that can be used in a discussion to enforce your point. Those days are full of events, just useGoogle news or similar service to have in your mail a updated recap. would be useful for us to be able to explain our needs (the company needs actually) by examples.

If Sony PSN Networks Managers would have been instructed that identity thefts are so common nowadays and can be so destructive in terms of image probably would have adopted a completely different approach to security.

The two parameters TCoS and ATCoS are also a function of times and communication effort spent, if there are a lot of security warnings, previous incidents experience those two parameters changes

Again if we think about the Sony PSN affair we have had pre-incident a TCoS that was close to 0 and consequently the ATCoS was basically 0.

What drive the TCoS close to 0 was the misunderstanding of the % of risks of an incident to occur “D”, the cost of the incident itself “B”.

If we look at what happened it appears clear that the risk of the incident was underestimated just because managers were not taking into account the damage would have result form the hacking (remember, it’s not just the direct costs…) and were not taking in account that there was something valuable for other (personal data) that could have been reached. Likewise they did not took in account the consequences in terms of emulation and acktivism.

Once again we have to remember that security is something that require cross-functional experience to be correctly evaluated.

at the end to have an idea of the value of ATCoS we should make some assumption, take some agreement and do some negotiation. But is this enough?

Sony affair teach us that there is another term of the equation that should be taken into account the minimum cost of security I’m allowed to put in place.

This quantity is the minimum expense I have to budget in order to provide a minimum\lifesaver level of security.

If we call mTCoS the Minimum Total Cost of Security we should assume that



  • How much I can loose in case of incident
  • legal\contract requirement
  • the technical aspect of the implementation of the solution:
    • direct costs of implementation (project, devices, training)
    • personnel
    • management\support
  • business impact of the implementation

  • mTCoS is a key parameter when negotiating with the management, this is the lowest level you can go in terms of resources, if you do not even reach this level you will not able to provide the level of service that can avoid the function we defined at point C (how much we can afford to loose in case of incident)
    since mTCoS is <<<=”” a=”” also=”” expressed=”” function=”” in=”” is=”” it=”” obvious=”” of=”” point=”” that=”” the=”” value=”” “c”
    If mTCoS is close to TCoS this means we have no margin for negotiation (and this is really bad, believe me) or me made the wrong assumption.
    Although this condition appear to be far from be real, there are areas where security expenditure are usually calculated with a mTCos close to TCoS. the typical example is the Storage area, where security (well part of it) is usually integrated in the solution, so nobody consider a Raid implementation an extra security level anymore.
    When we have this kind of situation, a sort of undisputed must to have, the negotiation is really easier. there are some other areas here this security approach can be taken, think, for example, about the desktop\laptop implementation of an antivirus client.
    How rational is this kind of approach? Well usually this is an approach consolidated and taken for correct without any critical analysis. the risk here is to avoid to take in consideration solution that can provide a better coverage of the security needs, security needs change every day.
    So we need to be able to estimate the mTCoS in order to negotiate our security budget.
    to do so we need some tools and instruments, that should be generally used also for our routine management and IT budget calculation.
    I don’t spend a word now about legal constrains, but I would like to make some considerations upon the technical aspect.
    If we know that we need a minimum level of security we should be able to measure it, make confronts versus a data baseline that can help us to understand if we are doing the right thing or not, make some measurement on the changing threat landscape and some forecast.
    All this require some statistical knowledge, at least at high and light level, to forecast what we need and we’ll need.
    here comes an area where people makes a lot of mistakes and I would like to spend a few words on it.

    The trucks and the wheels

    Let’s assume there is a statistics that say the average wheels for a truck is 5, what do you understand?
    If you aspect to find a 5 wheels truck on the road you should have a problem Smile!
    If the average wheels are 5 means you have some trucks with 4 and some with 6 let’s say 50% and 50%.
    with two option understanding this is quite easy, but if the output option are higher sometimes is hard to understand statistics. this is quite common in the security space where the interactions between aspect that are, apparently, unrelated are enormous.
    Alas a lot of people in the security space is looking for the 5 wheels trucks and does not check the 4 and 6 ones.
    Sometimes we concentrate just on some aspect of the process because we think are the only relevant object, and do not analyze the process itself, the result is that we focus on the wrong target or, better, we invest more money on the 5 wheels truck hunting than the 4 and 6 ones.
    The result is that we miscalculate the element that are used to calculate the mTCoS diverting resources to some other things.
    The classical example is the email management.
    It is quite common to implement an anti-spam solution, but spam is not considered in the whole aspect,is just considered an annoying thing to deal with because managers can complain.
    As well some content filter policies are implemented but without a real understanding of the consequences and potential threats or productivity impact.
    The result is a set of policy and security services that, form a security perspective, does not actually make any sense, and the money invested basically does not provide the level of service that with the mTCoS should be provided.
    Since probably the mTCoS has not even been calculated (it require the definition of the process we need to secure and the relative minimum level of service) this simply means that security implementation does not address a security concerns but just some random aspects with, probably, a sub-optimal allocation of resources
    So IT managers don’t allow to exchange executable through the mail, but at the same time allow to use external webmail without restriction, use anti spam gateway systems but do not provide an antimalware gateway system to protect form the few mail that can pass through the solution even if mails are 99.9% html based.to be continued

004)Tuesday, June 21, 2011

Risk and Security: how much to spend? (…and again again:)) – 004

So while we’re looking for our 5 wheels security truck a lot of other vehicles pass under our noses
Understanding what we have to look for in securing a process is mandatory in order to be able to analyze costs. The mTCoS is strictly related with the process we want to secure and the minimum level of service we can accept.
To be able to calculate mTCoS we should be able to understand:
how the process works :components, storage, users, structure …
how (if) the process is related to other process
which kind of data are of any interest to secure within the process
The best approach is to minimize the process structure and divide it in smaller elements that can be analyzed in an easier way. The final mTCoS will be the sum of all the mTCoSx provided for every subsystem.
so basically if we have a process P we can divide it different substeps p

and the resultant mTCoS will be (more or less)

So first we should try to find out what process we want to protect and determine the minimum level of service we can accept, then we should be able to divide it in smaller process to make our task easier and define for each smaller process requirement and interaction.
Once we have created our process model we can finally define which are the risks for each sub process and the whole process that we should consider in order to give the required level of service.
Once we have defined the risks and process we can prioritize them in an arbitrary way considering some aspects: the impact of the risk, the percentage that that event can occour.
The final step of this operation is to watch the market to see products and technologies that address our list of risks in order to secure our process at an acceptable level and define our mTCoS.
Of course we should do a little exercise of imagination when dealing with risks: how much can we transfer? how much can we mitigate? How much can we recover? …?
Several technologies offers different approach and different costs for the several aspect of risk management.
Just theory?
believe or not this is an approach that can drive our expenditure in the right direction, that is not spend the less possible, but spend the correct amount of money do address correctly the problems i need in order to provide the level of services requested.
On the other end we can use the Sony approach 🙂 but remember spending “0” or “100” without a correct plan is equally a nonsense.
Let’s try
So why we can’t try to imagine this process in something we should be aware need protection: email systems.
Ok i started with an easy task, just because i would like to begin with something extremely easy, but we will have the chance to explore further aspects while creating the model and analyzing the risks.

to be continued … (and the intro is ended)

Enhanced by Zemanta

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s