Professional Documents
Culture Documents
termination (not listed in the previous edition) - instead of accepting the risk
of leaving the asset open to attack, the owner may choose to remove the
asset from the environment that holds the risk of attack; it is arguable that
any environment can be totally safe, but it may be possible to move the asset
to an environment that presents different, lesser risks; if this is not possible,
the owner may choose to stop offering a service, stop presenting data to the
public, or otherwise stop exposing such an asset to risks
The best technique is probably a mixture of these methods. As we discussed last
week, avoiding risk is best, but not always possible. Minimizing the impact of
risk with mitigation is also desirable. Transference makes the most sense when
you have no expertise in your organization, but you could say that having a
separate IT Security division is a kind of transference. Acceptance makes sense
if the risk and its outcomes are minimal. Termination may make sense, if the
asset at risk cannot be protected at a reasonable cost, and our business plan can
do without it.
Last week we discussed setting values for company assets. The text revisits this
idea starting on page 322. There are ten different concepts in this section of the
text. We might consider the value of the income an asset generates, the cost we
would incur if we had to replace it, the cost of the loss of revenue if we no longer
had it, and more. As a famous example, consider Coca-Cola. What is the value of
the intellectual property that is the recipe for Coca-Cola? The formula for Coke is a
trade secret, which is different from a copyright. You can't copyright something
unless you file the information with a patent office, which makes it available to
anyone doing a patent search. This particular secret is not patented because that
would remove the marketing mystique of a secret formula, and it would make it
possible for someone else to make an identical product. They could be sued, but the
genie would be out of the bottle, so to speak. The mystique may be the more
valuable part, an intangible quantity that makes the physical product more
valuable. So what is it worth?
The text admits that some asset valuations are only estimates. The Coke formula is
probably an example of an asset whose value could only be known if it were lost. If
it were lost, it is unlikely that value could ever be regained.
After the discussion of value, the text brings up some of the terms I introduced last
week. Let's examine them again.
Asset Value (AV): the value that an asset has for the next several
calculations; this value may be different depending on the context of its use
Exposure Factor (EF): the percentage of the value that would be lost in a
single successful attack/exploit/loss; this accommodates the idea that an
entire asset is not always lost to an attack
All of the figures above are needed to begin the Cost Benefit Analysis described
on page 326. The text tells us that there are several ways to determine a Cost
Benefit Analysis. It recommends that we calculate a value for CBA with regard to
two values of ALE and a new concept, Annual Cost of Safeguard (ACS). The
safeguard in question is a procedure, a process, a control, or another solution that
will provide some measure of protection to our asset from the threat under
consideration.
CBA = ALE (without the safeguard) - ALE (with the safeguard) - ACS of this
safeguard
In the formula above, the value of CBA is defined as the ALE if we do not use the
control, minus the ALE if we do use the control, minus the annualized cost of
the control. If the pre-safeguard ALE is 5000, and the post-safeguard ALE is 4000,
how much can the safeguard cost and still justify the new safeguard?
CBA may also be called economic feasibility. The text mentions some other types
of feasibility as well that may be considerations or limiting factors when considering
safeguards and controls. Each may be a factor in deciding whether a project request
may move forward.
organizational - Will the new solution fit the way our company works? This
is related to the consideration last week about whether a proposed FASP
standard was from a company that was enough like our own.
operational - Will the new system work for us? Can we use it, can the users
use it, is there any problem that will prevent it from being of value to us?
economic - What will the system cost to build, implement, and use? What
associated costs, such as training and personnel, are needed for it?
schedule - Not mentioned in the text. Will the timeline of the project take so
long that it will bring no value to the company? Will it cost too much to
shorten the timeline?