Calling Gliese 581c ...
Been meaning to toss out a quick answer to Pete Lindstrom’s kind effort to include me in the Security Snarkathon:
There is, however, one area that is surprisingly naive and worth calling out, especially since people like SHRDLU at Layer8 and Alex at RiskAnalys.is are reinforcing it. Both have echoed their support for Andy’s attack of annual loss expectancy and information asset valuation. Essentially, they are all saying that it feels good not to worry about it because it is hard or impossible to do. Ouch.
Now that I’ve identified which planet he must be blogging from, I can get back to him. Where in the world did I say that we shouldn’t include annual loss expectancy or that we should completely ignore asset valuation? Maybe I’m not reading my own writing correctly. Read it with me, now:
One other thing, though: I was terribly gratified and relieved to read that I’m not the only one who doesn’t think “asset value” can be practically calculated. All the risk-assessments-in-a-box I have seen have started off with an inventory and asset value, and hell, how am I supposed to compute the asset value of a firewall? In terms of its hardware cost? In terms of business loss if it’s a single point of failure? In terms of the criticality of data it passes or blocks?
I still don’t think asset value can be practically calculated. It can be “winged,“ as in “is it worth it?“ (which if you haven’t noticed is a binary question hiding a WHOLE lot of winging). That’s not to say we shouldn’t try, but there needs to be much more definitive structure around it than we currently have.
But maybe I’m wrong and it can be practically calculated. Show me how, Pete. You da man. Walk me through it. Let’s take two examples: my aforementioned firewall, which let’s say I happened to build out of an old 486 and which runs fine, even though it’s protecting a bunch of confidential data. The other example is a corporate desktop workstation.
First example: the firewall. Pete has this wisdom to impart:
At the very least, collecting costs and assigning that as a “minimum value” representation is not hard to do.
Cool. It cost me $50 on eBay (plus shipping) and, oh, about 4 total hours of setup time, which we’ll calculate at $70/hr if I were paying some generic contractor to do it. Does a “minimum value” of $330 even come CLOSE to being a reasonable point of risk discussion, if I’m protecting, say, 1000 SSNs with it? Does its value go up or down if I have it backed up by a redundant 486 so that it’s not an inline single point of failure?
Let’s go over to the corporate desktop. Let’s say it’s costing $500 per month in some seat management contract. Should I use that as my “minimum value”?
How about if I say it’s the CEO’s desktop?
How about if I say the CEO’s got business data stashed on it?
How about if I say it is or it isn’t being backed up?
How about if I say the business data includes corporate secrets?
Sure, Pete, a bare minimum value can be calculated if you only count the replacement cost. But we all know that’s NOT what’s really going to hit your pocketbook if it gets breached or lost. Considering the potential MAXIMUM asset value, depending upon how much you really know about it and which doomsday scenarios you concoct, the real ballpark could be millions of shekels. At which point I’d personally feel pretty silly bringing a figure like $500 to the risk analysis table.
I know a woman who has a degree or two from MIT, one of them being in aerospace engineering. When she tries to say “Math is hard” with a straight face, we all blow suds out our noses and then go on to the next Babylon 5 DVD.
Math may or may not be hard. But picking the right numbers out of the air to add or subtract IS hard. I can give you value and loss statements in relative terms (green? five?) all day long. I can match my “green” with the other executives’ “chartreuse” and we can meet somewhere in the middle. We can answer “is it worth it?“ whenever we’re comparing two scenarios. But if I’m faced with a lame attempt at a “risk assessment” survey that asks me to list the number of desktops x asset value, I’m still going to claim that it’s a ridiculous question, has no practical answer that can be used for REAL risk assessment, and I’m going to do my loss expectancy calculations based on scenarios, not assets.
Scenario 1: loss of availability.
Scenario 2: loss of confidentiality.
Scenario 3: loss of integrity.
None of them can be applied to a desktop, or a firewall, or a Windows license. They’re all about the data. And even there, if I bring a worst-case number for each of those to the table, I’ll be accused of spreading FUD—which is not the point of risk analysis. Is the perceived value of a database really the same whether it’s breached, corrupted, or deleted? Show me that math, because that’s GOT to be a doozy of an equation.
So, let’s sum up: I have a possible “minimum value” which is a ridiculous number. I have a “maximum value” which my management is going to reject as being alarmist. The two of them are probably thousands or millions of integers apart. Pete, tell me where to meet you in the middle, and show me how it’s a practical calculation of asset value.
Don’t get me wrong: I’m going to keep trying. I haven’t seen anyone come up with a very simple, practical way of pulling numbers together consistently, though. I have yet to see any examples on the practical level that Andrew Jaquith has in the rest of his book. If he can’t do it either, and if you’re smarter than he is, take a crack at it. I’m all (pointy) ears.
on 05/06 at 07:20 AM:
on 05/06 at 01:26 PM:
Excellent post and I could not agree more. Most attempts at quantifying risk assessments are nice from a theoretical point of view, and when I am wearing my PhD hat, I have to defend them ad infinitum. However, when I am wearing my pragmatic real-world hat, I have to say that even if you give most people at C-level objective, real numbers, they just want to know if “it is worth it”. That is a question that I can answer; calculating the ALO or the net present value of security investments can be done, but I also doubt its applied use.