Another fling with security semantics.
Jack Jones’s wonderful discussion of loss events started out by defining an incident even more narrowly than I have, and I think he’s on the right track.
* How many of you have worked for an organization that suffered a security incident of some kind? (I have, and I suspect most if not all of you have experienced viruses/worms, system or data abuse and/or theft by employees, web defacements, etc.)
* In how many of these incidents was there the potential for significant loss/harm to the organization? (In my experience, many of the incidents have had the potential for significant harm.)
* How many of these incidents actually resulted in worst-case loss? (In my experience, none of them did – they didn’t even come close.)
I am all over Jack’s suggestion that we only count it as an incident if actual loss was incurred. But hang on a tick—let’s define “loss,” too, and as something more tangible than just “productivity loss incurred because someone had to stop and pay attention to this event.”
Let’s try defining loss as a loss of confidentiality, availability and/or integrity that resulted in the loss of significant productivity or actual revenue. If a virus blew up someone’s PC and he couldn’t get any work done until it was fixed, I’d call that an incident. But if it just had spyware on it, and he had happily been working with it for months without anyone noticing or caring, then it’s not a loss, even if we had to stop him from working for an hour while we cleaned it up. In this case, “significant” is whatever the management considers to be significant, and comes back to their decision on whether it’s worth pursuing or letting go. One company’s significant loss is another company’s annoyance.
This definition of “loss” gets tricky if you get into legal matters. Say an employee mails himself company intellectual property that he ought not to have. That’s a loss of confidentiality, all right, but has it caused any revenue loss? Potential revenue loss, perhaps—but then you’d have to prove harm in a court of law if you decided to prosecute anyway. If there’s a specific law broken by the loss of the C, I or A, then I guess you could consider that “harm,” but I’m getting on swampy ground and would need a lawyer’s help getting through that. (Mark Rasch, where are you?)
By this definition, is every breach of company policy an “incident”? Not by any means. It starts looking more incident-like if a senior manager takes enough offense at the breach to want to take disciplinary action. That can certainly cause a loss in (or at least diversion of) productivity to deal with. But I think Jack might agree with me that choosing to enforce policies is the cost of having them, i.e. the cost of doing business. When HR, Legal, Audit and Security take time to deal with the fallout of a breach, that’s what they’re there for; it’s a part of their job descriptions. It’s not a loss in and of itself, caused by an adverse event. It’s an extension of our controls system designed to prevent actual losses.
This definition, if it were widely accepted, would help draw a better line between the “hey, I was just looking” sort of security breach that the original hackers were accused of, and the organized crime sort of breach that is intended to cause actual loss (and presumably gain for themselves). Most laypeople never understood the difference anyway, since most of this activity takes place on a nonphysical, technical level that they can’t understand.
This is also why the privacy angle is so murky these days, and it’s hard to prosecute companies for the exposure of individuals’ private information unless actual monetary losses occurred (in the form of fraud or identity theft). Just because you feel someone Shouldn’t Be Looking doesn’t mean you’re incurring a loss. But I’m not ready to give up on the privacy fight. It’s just that I think we have a lot more to work out on the legal front.
Nevertheless, I think this new definition of “incident” will help us clear away a lot of cruft that has inflated our public statistics to the point where people don’t believe them any more. And it gives me a new direction for my risk management discussions. Thank you, Jack—and happy Fourth of July.
on 07/04 at 02:43 PM:
on 07/04 at 03:31 PM:
.
“Let’s try defining loss as a loss of confidentiality, availability and/or integrity that resulted in the loss of significant productivity or actual revenue.”
Sorry, that doesn’t float my boat.
Is the courier losing my backup tapes on the way to my off site storage an “incident”? You better believe it is. Did it cause me to lose “actual revenue”? I will probably never know. Do I claim that it cost me $2.5 billion? Only if I can figure out a way to claim that loss on my taxes
-stacy