A Failed Attempt at Optimizing an Infosec Risk Assessment

Saturday, January 28, 2012

Bozidar Spirovski


Recently I got into a discussion with an insurance supervisor on the topics of risk assessment.

He explained the process of work of actuaries in insurance, and that there are standardized tables of probabilities for an event to occur, like sickness and death, and how it is used to calculate insurance premiums.

After digesting the explanation, my reaction was that I found the holy grail of the Information Security Risk Analysis: All it takes is for enough information of an incident event be collected into a statistical table, and all possible types of information security incidents will have a standardized table of frequency and impact - no more assessments over the entire organization!

And in such a great and utopian solution, at least a quarter of the time the information security personnel will fell like they are doing actuarial jobs.

But I was quickly brought back to reality by the expert in insurance, with a good question: Actuarial tables are compiled based on information that is mandatory to be published - illness, fires, theft, even death.

How will you collect accurate information from information security, when it's not mandatory to publish them?

And he was perfectly correct: Collecting information to compile an actuarial table for information security will be impossible. There are very few companies in the world that will release any information that there was an information security incident if it hasn't impacted the public in a very obvious way.

Also, the value of the impact is calculated in any number of methods, and different items are included in the value, making the valuation of the incident an incomparable attribute from one incident to another.

Having a standardized method for risk assessment in information security based on hard numbers would be great. But since the factors included in any incident are very complex and varying, and also consistent incident reporting is nearly impossible, we will be sticking to the current qualitative methods.

Talkback and comments are most welcome...

Cross-posted from Information Security Short Takes

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Risk Management Risk Assessments Analytics metrics Standards Mandatory Reporting Information Security Infosec optimization Bozidar Spirovski
Post Rating I Like this!
Paul Hughes There is a step in the right direction on the horizon, although not from the arena you might think!

Changes to the EU Data Protection Act that were proposed on Wednesday would mean that notification of breaches to the relevant country's Information Commissioner and the persons affected would become mandatory for all companies operating in the EU, and must take place within the first 24 hours of discovery.

This would, in effect, provide a huge amount of data of the type you're looking for. Although, as you say, each of them would have to be assessed for a variety of impact classes (privacy, financial, mental/physical anguish, etc. etc.) so not quite all the way there, but a good step!
Aethelred theGreat Anybody knows if those changes will be applicable to all International organizations and would it be mandatory?
Paul Hughes As the proposal stands at the moment it would be mandatory for all organisations operating within the EU.

The proposal is yet to be ratified and may be subject to some changes before it actually passes into law in 2014.

That said, for most organisations two years is scant notice to alter their business enough to accomodate the changes as proposed, so some form of movement at this stage is likely advisable.

You can find a full text of the proposed changes here: http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_9_en.pdf
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked