Every business faces risk as long as they have something of value. The more valuable the assets of the company are, the more risk they face. Data value increases when the amount of information in a database grows and the data can be harvested more effectively. Data should be protected or secured at a reasonable cost that is a fraction of the value of the data.
The cost of attacking a corporation's data assets usually decreases as technology improves. To attack and exploit a company’s data center or get to a certain asset, a given investment would be needed to gain access to the data and gain benefit from it. The cost of certain attacks may be very low and the enterprise needs to guard against these attacks. If the cost of the attack becomes less than the value of the data, then the security for that asset should be upgraded to deter the attacker.
Unfortunately, most attackers do not do a cost-benefit analysis on the victim before attacking. Many low-cost methods of attack, like kiddie scripts (attack modes that are obtainable for free on the Internet), are done for kicks. Attackers may not benefit from the attack, but the attack may hurt the owner of the data. Enterprises need to fight against all types of attacks that threaten their assets or their ability to do business.
A general definition of risk will help show how threats are a factor in determining risk. Risk due to security attacks is the product of the threat, times the vulnerability to the threat, times the value of the asset. Since companies want to increase the value of their assets and cannot stop all threats, they must decrease their vulnerability to a given attack.
To find the total risk that a company faces, the company must inventory their data assets. With each asset tallied, the company can estimate the probability of the threats to each asset and the vulnerability to each threat in terms of a probability. The total risk will be the summation of the risks to each asset in terms of dollars.
To justify a security upgrade, the company may evaluate the reduction of risk due to a security upgrade. Dividing the reduction in risk by the cost of the security upgrade reassures return on security investment (ROSI). This analysis will give the user an estimate of the lower risk due to countermeasures. Reduction of risk makes the enterprise safer than if the threats are ignored. Enterprises can choose to install countermeasures before the attack or deal with the consequences after an attack.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.