A perennial type of question that comes up is how to know if you are secure or measure your security. I have spent some time answering the question here, here, here, here, here, and here. As you can tell by the multiple ways of asking the same question and the huge differences in opinion expressed in people’s answers, the one underlying trend is that Information Security, as a profession, isn’t in agreement in what we are doing and why we exist.
If you look at my answers, I consistently attempt to define the terms I use and shift the topic onto what I call risk management. The basic points I make are:
- Information Security is misnamed because if fosters the impression that we can somehow be “secure.”
- There isn’t any one list of products that you can buy to make you secure.
- Any framework that works off the assumption of “security” to generate metrics that measure how “secure” you are is doomed to failure.
- A better view is the concept of risk management where risk is objectively measured and managed to acceptable levels.
The reason I consider a risk management framework superior to an Information Security framework boils down to the scientific concept of risk. The reason I consider this a fundamental requirement in any risk management framework is because it allows for an apples to apples comparison of information risk with other types of business risk. Since financial and business risk frameworks already use the basic formula of risk as (probability of loss) times (magnitude of loss) annualized. E.g. probable loss aggregated to $10,000/year. This meaningful metric allows for the ability to make a sound business decision when implementing a new business process. If the expected profits in the new opportunity are $1 million and the expected annualized loss from all threat vectors – information, financial, opportunity loss, etc. – is $10,000 then it makes sense to proceed with plans in place to absorb the loss. If the business is comfortable absorbing the loss or can shift the loss to an insurance instrument then I am remiss in recommending a solution that is as “secure” as possible for only $500,000 a year.
I have been fortunate to be exposed to a risk management framework that understands the requirement to objectively measure risk using the basic high level risk metric used by other disciplines. The framework is called Factored Analysis of Information Risk (FAIR) from a company called Risk Management Insight.