Every business faces risk as long as they have something of value. The more valuable the assets of the company are, the more risk they face. Data value increases when the amount of information in a database grows and the data can be harvested more effectively. Data should be protected or secured at a reasonable cost that is a fraction of the value of the data.
The cost of attacking a corporation's data assets usually decreases as technology improves. To attack and exploit a company’s data center or get to a certain asset, a given investment would be needed to gain access to the data and gain benefit from it. The cost of certain attacks may be very low and the enterprise needs to guard against these attacks. If the cost of the attack becomes less than the value of the data, then the security for that asset should be upgraded to deter the attacker.
Unfortunately, most attackers do not do a cost-benefit analysis on the victim before attacking. Many low-cost methods of attack, like kiddie scripts (attack modes that are obtainable for free on the Internet), are done for kicks. Attackers may not benefit from the attack, but the attack may hurt the owner of the data. Enterprises need to fight against all types of attacks that threaten their assets or their ability to do business.
A general definition of risk will help show how threats are a factor in determining risk. Risk due to security attacks is the product of the threat, times the vulnerability to the threat, times the value of the asset. Since companies want to increase the value of their assets and cannot stop all threats, they must decrease their vulnerability to a given attack.
To find the total risk that a company faces, the company must inventory their data assets. With each asset tallied, the company can estimate the probability of the threats to each asset and the vulnerability to each threat in terms of a probability. The total risk will be the summation of the risks to each asset in terms of dollars.
To justify a security upgrade, the company may evaluate the reduction of risk due to a security upgrade. Dividing the reduction in risk by the cost of the security upgrade reassures return on security investment (ROSI). This analysis will give the user an estimate of the lower risk due to countermeasures. Reduction of risk makes the enterprise safer than if the threats are ignored. Enterprises can choose to install countermeasures before the attack or deal with the consequences after an attack.
Risk always starts with a threat. Threats can be broken up into three basic levels. The first level of threats is unintentional and due to accidents or mistakes. While not intentional, these threats are common and can cause downtime and loss of revenue. The second level of threats is a simple malicious attack that uses existing equipment and possibly some easily obtainable information. These attacks are less common but are intentional in nature and are usually from internal sources. The third level of threat is the large scale attack that requires an uncommon level of sophistication and equipment to execute the attack. A third level attack is usually from an outside source and requires access, either physically or virtually. Third level attacks are extremely rare in SANs today and may take considerable knowledge and skill to execute. Table 1 summarizes the three levels of threat.