I'm not suggesting anything ... I'm saying that it's done, I didn't discover
now risk management, but others before me.
You can estimate costs associated with a future breach and a probability
that an attack will occur.
If you want to learn how exactly this is possible, you may start to adapt
this model to your needs:
http://books.elsevier.com/companions/0750673672/
After an audit, from here you can estimate the probability of a successful
attack.
After implement your solution, from here you can estimate the same again.
You can compare both with the estimated costs before, and know your probable
loss, before and after your risk reduction solution.
Regading ways to map whatever to the CIA ... you can sit and relax waiting
for an answer ... you will wait a lot.
FM
----- Original Message -----
From: "Andrew Stewart" <andrew_j_stewart@mac.com>
To: <security-management@securityfocus.com>
Sent: Saturday, August 13, 2005 9:21 PM
Subject: Re: Is there any way to measure IT Security??
On Jul 28, 2005, at 7:56 PM, Fernando Martins wrote:
The technique must be risk analysis, considering the actual risks,
vulnerabilities and loss costs estimation.
If you want to measure, you must reduce everything to numbers. Start with
the loss costs for your confidentiality, integrity and availability...
Identify the vulnerabilities and the probability of a specific accident
...
Define levels of security and the types of possible enemies ...
At the end you will get 2/3 charts that have the measure of your security
...
You are suggesting that it is possible to identify:
1) The costs associated with a future breach (including the effect on
intangible assets such as customer goodwill).
2) The true picture of vulnerability within an environment.
3) The probability that an attack will occur.
And, 4) A way to map those metrics to the CIA triad.
I'm interested to know how, exactly.
- A
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.8/71 - Release Date: 12-08-2005
