Call 1-314-596-8750 -
First 5 minutes FREE
The Risk Equation
Here's a simple equation for quantifying your organization's security risk.
When interviewing me for security-related stories, reporters frequently ask
me to describe the primary goal of information security in terms everyone can
understand. Here's what I say: Infosecurity is about mitigating risk. Of course,
there are many ways to define and evaluate risk, and many subtle and substantial
differences in the application of risk-related terms.
The most effective way I've found to define risk is with this simple
Risk = Threat x Vulnerability x Cost
This equation is fundamental to all that we do in information security. But
before we discuss the equation itself, let's take a look at these terms
Threat is the frequency of potentially adverse events. Since threat (by this
definition) is always a frequency, it's always potentially measurable. And since
the events are only potentially adverse, threat per se is not necessarily
dangerous or detrimental.
Here are some examples. The threat rate of southern California earthquakes
greater than 4 on the Richter Scale is 21 per year. The threat rate of
hurricanes hitting Florida is 1.4 per year. The threat rate of insiders who use
somebody else's logged-in PC to inappropriately access restricted information is
approximately four per 1,000 users per day. The threat rate of virus encounters
by a 1,000-PC organization is 88 per day. The threat rate of
"attack-related scans" against a single IP address is seven per day.
And so on.
Threat rates can be categorized into "global threat rates" and
"local threat rates." A local organization's geography, status,
political stance or any other factor may expose it to more or less threat than
that of the global rate. The key to thinking about this is to determine--or at
least estimate--the rate of whatever threats face your organization. Of course,
many threat rates change constantly, particularly those driven by humans.
Vulnerability is the likelihood of success of a particular threat category
against a particular organization. Notice that if this were the likelihood of
success of a particular attack (e.g., the Ping of Death) against a particular
machine, the likelihood would be either 0 or 1 (0 percent or 100 percent). But
since we are concerned about vulnerability at an organizational level (with,
say, 1,000 PCs and 50 servers configured and architected in a particular way) to
an entire class of threat, binary terms don't work. Instead, vulnerability has
to be quantified in terms of a probability of success, expressed as a percent
The likelihood of success is not easy to measure, but a related term,
"vulnerability prevalence," is. Vulnerability prevalence is simply the
number of machines of a particular type (say, NT-based Web servers running IIS
that are exposed to the Internet) that exhibit a particular vulnerability.
Many factors work together to make some, but not all, machines vulnerable in
their current environment--even if the software, hardware and data is identical
across machines. Router rules, firewall configuration, proxy settings, NAT,
location on a subnet, OS type, co-existence of other running processes,
existence of data of certain types, existence of sample code or files, secondary
connections of certain types-these factors and many others change the likelihood
of success of a particular threat.
Cost is the total cost of the impact of a particular threat experienced by a
vulnerable target. Hard-dollar costs are measured in terms of "real"
damages to hardware or software, as well as quantifiable IT staff time and
resources spent repairing these damages. Semi-hard costs might include such
things as lost business or transaction time during a period of downtime. Soft
costs include such things as lost end user productivity, public relations damage
control, a decrease in user or public confidence or lost business opportunities.
For the two weeks before and after the Melissa virus catastrophe in 1999, we
did a study where the person most responsible for virus security in 300
organizations was asked to assess the cost of his or her company's "most
recent virus event." Nearly one in five companies in the survey said their
most recent virus event was Melissa. Of these companies, 79 percent experienced
a "disaster" from it. The average "disaster" company had
1,120 employees and averaged 196 infected PCs and 8.7 infected servers
(including e-mail, e-commerce and other servers) per site, which were down for
an average of two days. Yet the average technician whose company experienced a
disaster related to Melissa said the organizational cost was only $1,700. The
actual total costs were probably more than seven-fold higher. Why? Because
almost none of the technicians surveyed added in second-order hard costs or
semi-soft or soft costs.
It's not threat, vulnerability or cost alone that really matters, but risk.
As you can see from the risk equation, for there to be any risk there must be at
least some threat and vulnerability and cost. The concept we all learned in
sixth grade-that anything multiplied by zero is zero-means that if any one of
the three components of risk is zero, then the risk is also zero.
This concept is handy when evaluating a vendor's or the media's suggestion
that "XYZ risk" must be addressed. If you can determine that XYZ risk
poses no threat to your organization-or if you determine that your organization
is not vulnerable to it-or that if it is vulnerable to it, the cost of fixing or
repairing the problem is zero -you automatically know that XYZ risk doesn't pose
a risk to your organization.
In most instances, you won't be able to say for sure that any of the three
risk factors is zero. Instead, you'll need to measure each component of risk.
For instance, let's say you want to determine if your intranet Web server is
vulnerable to the "gichagoombi" attack, and if so, the level of the
threat. To do this, you need to evaluate the threat rate in other spheres (like
the Internet), and determine how that translates to your intranet. What tools,
knowledge and access are required to make it a threat? What human motivation is
necessary? Who in your company has all the ingredients (tools, knowledge,
access, motivation) to exploit the vulnerability? By drilling down into each
component, you'll very often conclude that there's no risk-or at least no
imminent risk-because at least one component of risk is zero or near zero.
Vulnerability is often the first thing to address, since that's where you
typically have the most control. There are always many places where you can at
least partially reduce vulnerability, and do so easily and inexpensively. We
call these partial solutions "synergistic controls." They are
overlooked by almost everyone, but are exceedingly useful, especially when used
together with other synergistic controls.