» Measuring risk reduction

February 18th, 2008 by Chandler Howell

Another thought on KPI #2, “Are we secure enough?”:

Once management agrees that the approach (tracking compliance, gaps, and exceptions, extrapolated for coverage), then we can now effectively calculate the cost-per-gap-closed of a particular mitigation approach.

I’ll use a trivial example to demonstrate what I mean.

Say I have 10 network-level exceptions related to systems on a particular network, say a production line in a factory. I want to mitigate the risk (really, partition the risk, but I’ll argue/assume that the effect on the aggregate network is mitigation). To do so, I need to demonstrate that firewalling off the network is not only effective, but also a cost-effective approach to the problem.

Suppose, also, that I know from my risk assessment efforts that I have 50 exceptions on the network and 50% of my systems have been assessed for risk (based on best estimates from KPI #1, coverage and control. Extrapolating conservatively (reality is that the 50 assessed systems are probably somewhat better-than-average from a compliance perspective), then I assume that I have at least 100 documented or potential exceptions.

Therefore, deploying the firewall to mitigate the risk of 10 of them will reduce risk in excess of tolerance by 10%. This means that I can now provide a cost-per-exception to mitigate of 1/10th the cost of the firewall.

If I have some estimate of the impact of the risk (lifted, say, from the BIA for the systems/applications), then I can determine if the firewall is a cost-effective approach to protect those systems, or if I need to come up with something cheaper. This also allows me to prioritize my risk reduction efforts to maximize efficiency, and also explain to others why I’ve ranked them in the order I have.

I’ve also managed to turn my risk assessment into dollars, and the dollar amounts all come from the people I’m managing risk for–no accusations by the “customer” of FUD’ing up my numbers, either.

So, no math that’s more complex than four-function arithmetic. It’s simple enough both to maintain over time and to explain to any half-way competent business or IT leader. What’s not to love? (I’m sure you’ll let me know in comments)

- Posted in Security and Risk Management, Risk Management, Security metrics

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.


« Zombie Preparedness
Definitions »


- Leave a Reply