Scribd
Upload
24 views

Risk Analysis Vs Security Controls

The document discusses the differences between security risk analysis and business risk assessment. Security risk is difficult to measure accurately and prove, while business risk aims for positive ROI. It argues that relying on security risk analysis to justify controls is flawed, and that due care and good practices established in security frameworks and standards should be used instead to select appropriate controls. The objective of security should change from reducing unknown risk to demonstrating due care and following good practices.

Uploaded by

Eqbal Gubran
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
24 views

Risk Analysis Vs Security Controls

The document discusses the differences between security risk analysis and business risk assessment. Security risk is difficult to measure accurately and prove, while business risk aims for positive ROI. It argues that relying on security risk analysis to justify controls is flawed, and that due care and good practices established in security frameworks and standards should be used instead to select appropriate controls. The objective of security should change from reducing unknown risk to demonstrating due care and following good practices.

Uploaded by

Eqbal Gubran
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 15

Risk Analysis vs Security Controls

Security Controls

• Risk assessment is a flawed safeguard selection


method.
• There is a tendency to confuse security risk
assessment with business risk assessment.
• Taking a business risk is voluntary with the objective
of a positive return on investment (ROI) with
potential loss limited to the assets invested.
Security Controls

• Risk Management: A holistic management process that encompasses activities that


lead to cost-effective security solutions to protect Information Systems.

• Risk Analysis: A process to determine a measurable expectancy of loss, expressed in


terms of frequency over a given time, and the amount of potential loss to the
identified assets. A subset of Risk Management.

• Asset: Any resource, item, information of value to an organization which, if


compromised in some manner, would result in a loss.

• Loss: The undesirable product of a threat that has occurred, resulting in one or any
combination of: delay, disclosure, destruction or modification.

• Threat: A person, thing or event that manifests itself as a potential danger to an asset.

• Safeguard: A protective countermeasure to one or more threats or vulnerabilities


designed to reduce the likelihood or degree of loss of an asset.
Security Controls

• One of the major problems is that security risk assessment and


the benefits of using the results of risk assessment cannot be
measured in any sufficiently accurate to provable way.

• Security risk is difficult to manage since you don’t know and


can’t control the often irrational people who cause the risk and
their plans.

• You cannot measure manage what you cannot measure.


• These differences suggest that the negative objectives of
reducing security risk and the methods of risk assessment are
not sufficient to justify security expenditures in a rational way.
Security Controls

• Like many of our stakeholders, we have wrongly


assumed that business risk and security risk are the
same.
• They are fundamentally different.
• Therefore, the validity and success of business risk
assessment does not prove that security risk
assessment would be successful, and the failings of
security assessment does not imply anything about
business risk.
Differences Between Security and Business Risks

Security Risk Business Risk


• Involuntary risk of unknown • Voluntary discretionary
investment decision can be
value cannot be avoided
made
• Explicit adversaries are not • Competitors are known
identifiable • Competitor’s are known
• Adversaries are unknown • Competitors normally
• ROI is negative, unknown, follow ethical practices
and not provable • ROI is positive and can be
• Positive benefit is absence of easily demonstrated
unknown possible loss

*SKRAM - Skills, Knowledge, Resources, Authority, and Motives


Differences Between Security and Business Risks

Security Risk Business Risk


• Negative result is unlimited, • Positive benefit is
unknown loss measurable profit
• Risk assessment is not • Loss is limited to
verifiable because results investment only
are obscure • Risk assessment is verifiable
by obvious results
• Amateurs perform risk
• Professional risk managers
assessment perform risk assessment
• Limited resources are • Generous resources are
allocate to risk assessment allocated for risk assessment
Changing Objectives

• For the past 30 years, the objectives of information security


has been to reduce risk by applying security controls.
• This objective has kept us tied to the flawed effort to
perform security risk assessments.
• If the objective of adopting a security safeguard is to reduce
a security risk, the expenditure for the safeguard can only be
justified by demonstrating that the cost of the safeguard is
lower than the cost of dealing with the possible negative
consequences of failing to implement the safeguard.
Changing Objectives

• Today, with 30 years of security advances and loss


experience, we have used more than 300 generally
accepted safeguards.
• We have:
– recorded loss experience,
– identified vulnerabilities and treats,
– developed and used safeguards, and
– established due care and good practice in the process
Changing Objectives

• These efforts have been documented extensively in:


– The Common Body of Knowledge
– British Standard (BS 7799)
– International Standards (ISO 17799)
– CoBit
– Generally Accepted System Security Principles
(GASSP)
– NIST Common Criteria
– CERT
Changing Objectives

• In most cases, it is no longer necessary to conduct


reviews and plan security budgets by repeating
threat, vulnerability and risk analysis.
• The standards of due care have already been
established.
• The only analysis needed is the evaluation of the
threats and vulnerabilities related to the newest
technologies and applications to find and devise
safeguards that are not yet accepted as being due
care.
Changing Objectives

• Given the existing knowledge base and experience,


we should rely on due care and good practices for
most of our needs to gain management support for
security plans and help choose safeguards.
• By benchmarking the practices of other organizations
and gathering information on the sales and
evaluations of purchasable security products, we can
measure the extent to which our safeguards reflect
the strength of due care and good practices.
Changing Objectives

• When benchmarking, if you discover that four of


your competitors have installed firewalls, no risk
assessment is necessary to support a “good practices”
conclusion.
• Good security management (not risk management)
requires that you plan an overall structure and system
architecture of your security infrastructure.
Controls Conclusion

• We should rely on due care and good practices and


methods for selecting safeguards.
• BS 7799, ISO 17799 have 350 controls to choose
from.
• Use benchmarking, peer communications, security
product advertisements and evaluations and security
product demonstrations in selecting safeguards.
Controls Conclusion

• If you take these steps, over time you can replace


negative objectives of reducing risk with achieving
business enablement, due care and good practices as
the stated positive security objective.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy