You said: "You can estimate costs associated with a future breach and a
probability that an attack will occur."
Can you confidently say that a particular organization has a 0.7
probability of being broken into, with an expected cost of X dollars?
If you believe you can, I have a bridge I'd like to sell you.
The root of the problem is that we have very little historical
actuarial data from which to make a risk calculation. As I mentioned
in an earlier email, it is also very difficult to understand the true
extent of vulnerability within an environment. If such a calculation
were possible, then there would be a much larger market for insurance
against security incidents. Insurance companies largely don't offer
insurance against security incidents precisely because they realize
that the risk calculation is too vague.
In the physical security world, there are some incentives to report
crime. It is only recently that US laws have mandated disclosure of
certain types of computer security incident, and so until we build a
history of actuarial data, we shouldn't pretend that we can predict
risk in a quantifiable way.
I refer you to my paper on the topic published in the journal Computers
& Security (Vol. 23, No. 5, July 2004).
- Andrew
On Aug 15, 2005, at 7:16 AM, Fernando Martins wrote:
I'm not suggesting anything ... I'm saying that it's done, I didn't
discover now risk management, but others before me.
You can estimate costs associated with a future breach and a
probability that an attack will occur.
If you want to learn how exactly this is possible, you may start to
adapt this model to your needs:
http://books.elsevier.com/companions/0750673672/
After an audit, from here you can estimate the probability of a
successful attack.
After implement your solution, from here you can estimate the same
again.
You can compare both with the estimated costs before, and know your
probable loss, before and after your risk reduction solution.
