Business Impact Analysis is mentioned in Domain 3 of the CISSP certification.
It seemed like such a simple task. Find the financial impact of a risk, multiply it times its annualized risk exposure and sort these to solve the highest risk exposures first.
But, what I quickly learned is that risk impact and frequency are bound up by a great silence in our industry, a sucking sound so great that a whole storm system revolves around it. Impact gets measured as PCI Non-Compliant. Frequency gets measured as "High" from your local scanning tool.
So, in the dark and stormy silence Risk Exposure looks like this.
- Internet facing server processing PCI Data: Impact High
- The server processing Card Holder Data has a Medium risk finding from Nessus: Risk Frequency: Medium
- Over all Risk Exposure: Medium-High, so fix it now.
Notice: No one asked if fixing it now cost 15 cents or 1 billion dollars. No one asked if the Risk Exposure was worth the cost. No one knows what the Return On Investment was.
Instead, we say, not being PCI compliant is a eCommerce ending move, even though we know an Acquirer will accept some risks if it makes business senses.
So, we cooperate with the great sucking sound and we leave the client with the view that Risk Exposure based logic is a dead art. But, because of that great sucking sound of missing knowledge, this has almost become true.
What do we need to change this game? Firs,t get a hold of three items your corporation can give you if you knew to who ask:
- What is your firm’s Return On Invested Capital? What you are looking for is what it costs your company to not route free cash into making its direct profit.
- What is your firm’s experience with infected systems, downed servers and/or breaches? Note: by breach I do not always mean "Legal required notification". I mean how many times per week does an Internet facing webserver go down in a non-planned way? How many breaches of data that do not meet the legal threshold for notice occur per month?
- How much did restoring, repairing, rebuilding, reimaging, improved firewall rules, down time, legal fines for disclosed or altered data, or even direct fraud cost per event? We all have them. I know that asking what it is may be too close to that great low pressure system, and you do not need to be struck by lightning at the storm's center. I won't ask and you won't tell.
With these, one can compute estimates of how much insurance to buy, justify the Infosec budget, financially select cost effective solutions and prove it to your CFO.
Compute how much savings your company would see plus compounding interest your company needs to save up for a breach every certain number of days, weeks, months, or years.
Your local business analyst or MBA can turn this into a Net Present Value. After you compute this, lots of hard numbers can be computed.
But, from the view of the blunt truth, very good things can happen. Even if your inputs are uncertain, the size of the uncertainty has a business value to know.
If you are sick of measuring Risk Exposure as "High", "Medium" or "Low", but want to use cash/yr as a Risk Exposure, you may want to check back for more.