Search:

A Failed Attempt at Optimizing an Infosec Risk Assessment

Saturday, January 28, 2012

Bozidar Spirovski

E973b16363b3de77b360563237df7e32

Recently I got into a discussion with an insurance supervisor on the topics of risk assessment.

He explained the process of work of actuaries in insurance, and that there are standardized tables of probabilities for an event to occur, like sickness and death, and how it is used to calculate insurance premiums.

After digesting the explanation, my reaction was that I found the holy grail of the Information Security Risk Analysis: All it takes is for enough information of an incident event be collected into a statistical table, and all possible types of information security incidents will have a standardized table of frequency and impact - no more assessments over the entire organization!

And in such a great and utopian solution, at least a quarter of the time the information security personnel will fell like they are doing actuarial jobs.

But I was quickly brought back to reality by the expert in insurance, with a good question: Actuarial tables are compiled based on information that is mandatory to be published - illness, fires, theft, even death.

How will you collect accurate information from information security, when it's not mandatory to publish them?

And he was perfectly correct: Collecting information to compile an actuarial table for information security will be impossible. There are very few companies in the world that will release any information that there was an information security incident if it hasn't impacted the public in a very obvious way.

Also, the value of the impact is calculated in any number of methods, and different items are included in the value, making the valuation of the incident an incomparable attribute from one incident to another.

Having a standardized method for risk assessment in information security based on hard numbers would be great. But since the factors included in any incident are very complex and varying, and also consistent incident reporting is nearly impossible, we will be sticking to the current qualitative methods.

Talkback and comments are most welcome...

Cross-posted from Information Security Short Takes

Share This! |
Possibly Related Articles:
5396
Enterprise Security
Information Security
Enterprise Security Risk Management Risk Assessments Analytics metrics Standards Mandatory Reporting Information Security Infosec optimization Bozidar Spirovski
Post Rating I Like this!
Comments:
Default-avatar
Paul Hughes There is a step in the right direction on the horizon, although not from the arena you might think!

Changes to the EU Data Protection Act that were proposed on Wednesday would mean that notification of breaches to the relevant country's Information Commissioner and the persons affected would become mandatory for all companies operating in the EU, and must take place within the first 24 hours of discovery.

This would, in effect, provide a huge amount of data of the type you're looking for. Although, as you say, each of them would have to be assessed for a variety of impact classes (privacy, financial, mental/physical anguish, etc. etc.) so not quite all the way there, but a good step!
1327842785
Default-avatar
Aethelred theGreat Anybody knows if those changes will be applicable to all International organizations and would it be mandatory?
1327865577
Default-avatar
Paul Hughes As the proposal stands at the moment it would be mandatory for all organisations operating within the EU.

The proposal is yet to be ratified and may be subject to some changes before it actually passes into law in 2014.

That said, for most organisations two years is scant notice to alter their business enough to accomodate the changes as proposed, so some form of movement at this stage is likely advisable.

You can find a full text of the proposed changes here: http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_9_en.pdf
1327871095
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked


Latest Member Comments

"installment loan"

Student Pleads Guilty to Counterfeiting Coup... on 06-18-2013

"Counterfeiting is against the law. So it is bad to sell and buy products such as bogus.There is nothing brand new about counterfeiting...."

Student Pleads Guilty to Counterfeiting Coup... on 06-18-2013

"Can you tell mo more about how to keep clean mess from PC anywhere can you elaborate. http://www.chemdryrapiddry.com.au/carpet-cleanin..."

Starting to Clean Up the Mess from PCAnywher... Peggy Patterson on 06-18-2013

"Have you ever dreamed that your 90′s cyberpunk movies goes real? Well, we almost there, meet the Deep Web. The Deep Web (also called ..."

What is the Deep Web? A Trip into the Abyss.... Smukke Smukke on 06-13-2013
Latest Posts