Aujas Blog: Why measuring what you protect is important?

Quick Search

Search only in titles: Keyword:

Search in:

Date Range:

Advanced Search

Basic Search
Subscribe

Blog Entry
March 2010

Su Mo Tu We Th Fr Sa
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31
Recent Entries
1. Security by the Wall
  Tuesday, March 09, 2010
2. Aujas completes 2 years of successful operations
  Wednesday, February 10, 2010
3. Aujas @ CIO Year Ahead | 2010
  Wednesday, December 16, 2009
4. Our Psychology and Security: The way we think
  Tuesday, September 29, 2009
5. Aujas achieves Indian Computer Emergency Response Team’s (CERT-IN) Empanelment
  Monday, August 17, 2009
6. IT Amendment Act, 2008- An act to amend the IT Act 2000
  Thursday, April 02, 2009
7. It’s raining in Cloud?
  Thursday, March 19, 2009
8. Is it time for Security Analytics
  Saturday, March 07, 2009
9. Dr.C S Rao joins Aujas Advisory Board
  Wednesday, January 28, 2009
10. Applications Downloads – Are they from trusted websites?
  Tuesday, January 06, 2009
Recent Comments
1. financial metrics on PCI Compliance in INDIA
  3/10/2010
2. Sasi Kumar on Applications Downloads – Are they from trusted websites?
  10/21/2009
3. Web developer on Applications Downloads – Are they from trusted websites?
  10/20/2009
4. Yogi on PCI DSS 1.2 and Wifi Security
  8/18/2009
5. pci compliance on PCI DSS 1.2 and Wifi Security
  6/5/2009
6. pci on PCI Compliance in INDIA
  6/4/2009
7. pci compliance on PCI Compliance in INDIA
  5/29/2009
8. Sumit on VOIP and Security
  1/29/2009
9. manjula on PCI DSS 1.2 and Wifi Security
  11/5/2008
10. Maneesh on PCI DSS 1.2 and Wifi Security
  11/5/2008
Syndicate
Monthly Archives
Category Archives
Back to Main Page

Why measuring what you protect is important?

One suggestion I always get from visitors to my house is to add additional security measures. Instances of all sorts of potential attacks and burglary are quoted. Some suggestions are good, but some down-right impractical (apart from the fact that it is not easy to do major alterations in the house). My standard response is, the current security is enough to protect the assets in the house. At any instant, I approximately know how much I am going to lose (in monetary terms) in case of a burglary.

Of course the psychological effects or physical harm cannot be that easily quantified. My 5 year son is still shocked that someone tried to break into our neighbour's house, couple of months earlier. So security mechanisms at my house is sort a trade-off considering the loss of tangibles and intangibles, and how much I am willing to spend.

Business security is much more complex, but very much similar to personal security example quoted above. It should protect the organization, its ability to perform their mission and not just its IT assets. It should also consider the factors like confidence loss and bad publicity, perception of market, investors and all stakeholders. Finally is should also take into consideration the amount of money spent on security versus the value of assets that is being protected.

Any Risk Assessment activity starts with understanding and collecting system related information. The paper <link given below> from NIST elaborates on this activity. It classifies and gives details of the IT system related information which can be collected. It also enumerates some techniques to collect such information.

http://www.mirrorservice.org/sites/ftp.wiretapped.net/pub/security/info/reference/nist/draft-special-publications/sp-800-30-rev-a-draft.pdf

Another related activity is business impact analysis. It analyzes the impact associated with the compromise of information assets based on a qualitative or quantitative assessment of the sensitivity and criticality of those assets. Identifying, classifying and associating a cost to the information helps to concentrate on realistic threats among the innumerable threat perceptions. It would also help in deciding quantity of investment and any other tradeoffs which would be made with respect to security.

We automatically do risk assessment and impact analysis when it comes to our personal security, to ensure a comfort level. Organizations need to do the same but in a more systematic way. Only then, they will be sure on how much to spend on security and where to focus. It would also be a good beginning for measuring the Security Return on Investment (RoI).