If you don't think information security is important, ask the millions of people each year that have been violated and their information compromised in some way to include their personal or business identity. The value of your name or business name is invaluable. The concept of reputation is difficult to quantify for many, but when it is you, it is very easy to quantify. The only answer is devastating!
There are a few key terms that surface in every conversation regarding information security. I will list them here and then explain them in more detail a little later. They key terms include: risk, threat, vulnerability, asset, likelihood, and control.
There are also key terms associated with each of these terms as well. For example when we think of risk we need to understand many other dimensions about the risk. For example, is the risk quantified in financial terms (money) or possibly qualitative (reputation, customer confidence, etc.)? Is the risk inherent or external? How much risk remains after we have done everything we can (applied controls, etc.)?
Generally speaking when you think of risk there is a simple way to frame this up in your mind. You can use this simple formula as a baseline for your thinking.
Risk = (Threats x Vulnerability) x (Likelihood %) - (Controls)
What does this mean in simple terms? Your risk is equal to the presence of applicable threats AND the vulnerabilities that exist AND the likelihood the threat and vulnerabilities will become compromised less the controls that you apply.
If you wanted an even more simple framework for illustration purposes, just eliminate the likelihood from the high-level equation, but don't forget to factor this in during the actual risk assessment process.
Risk = (Threats x Vulnerability) - (Controls)
Risk
As I briefly suggested above there are all sorts and types of risk:
Residual Risk - the risk remaining after you have done everything you know or want to do.
Risk of Disclosure - unauthorized people (bad people) gain access to your information or systems.
Risk of Availability - your application, information, systems, etc. are not available to the people that need them.
Risk of Integrity - the integrity of your information or systems was altered in some way by unauthorized persons (very bad and sometimes difficult to discover).
There are actually many more forms of risk, but there are the high level types that apply to almost every situation.
Threat
When you think of threats, you need to consider the various forms of threats (e.g., internal, external, inherent, etc.) put your information or system at risk. The list of threats will vary and differ based on a countless number of variables. A threat assessment must be evaluated for each specific case. It is a good idea to include subject matter experts to ensure a reliable list of threats.
Vulnerability
Vulnerability speaks to the weaknesses that are within your situation. For example, all computer programs and hardware contain vulnerabilities within them and this is why all of the software and hardware manufacturers are relentlessly producing and providing updates based o the latest threats and exploits. In this example, have you applied all of the security patches to your system?
Likelihood
The likelihood of a threat materializing into an undesirable event is something that brings a lot of comment within the risk community. We can rely on past data to help frame up potential likelihood values, but we also must take into account our own local situation and environment. Meaning, have we done everything that we need to do to avoid a negative situation? We need to think in terms of frequency (daily, monthly, annual, etc.).
Control
Control is a general term used to describe a direct or indirect method or object used to minimize or reduce the risk from being realized.
Asset
The asset is what you are trying to protect.
You could develop a formula based on whatever risk framework you adopt. For example, if you use the framework I outlined above then you could develop a rating system and assign values to threats, vulnerabilities, likelihood and controls. The key to remember when doing this type of analysis is scope. Make sure you are very clear on the scope of your assessment and ensure that everyone is on the same page. It is wise to take larger problems and break them down into smaller more manageable tasks/scopes.
The point of contention in this type of work is that the analysis is considered to be highly subjective by most. Since there is no possible way to predict the future, all we can do is take into account historical data and then based on our own individual tolerance for risk make the appropriate adjustments. I will remind you that the events of September 11, 2001 were not even possible in most peoples minds. You need to keep this in mind when thinking about your own situation.
I hope this information was helpful in giving you a general idea about information security risk. We live and operate in a connected world driven by information systems. The landscape of threats and risk is dynamic and always changing. I believe information security to be one of the single most misunderstood topics by executive management and individuals alike. Many seem to be limited by their own understanding and experiences.
You can think of information security like this. The next time you enter your personal information (name, address, banking info, phone number, etc.) in the latest great application talked about on Oprah or NBC Nightly News ask yourself the following questions:
1.) Do I trust this company? If so, be very clear why you trust them and blind trust isn't advisable.
2.) Where and how do they store and process your confidential information?
3.) What controls do they have in place to minimize risk to your information and are they willing to share this with you?
4.) Do they use external or third-party vendors and suppliers? Many times bad things happen to good companies because of their third-party service providers and vendors don't operate at the same level as them. It is their job to ensure all vendors are performing as expected. In other words an aggressive monitoring and risk management system is required at a minimum.
5.) Ask yourself this last question: Would I give my private information to my neighbor? I am guessing the answer is no. Then why would you give this to a company that you know nothing about?
Be safe and ask a lot of questions.
Tim
