Why measuring what you protect is important?
Of course the psychological effects or physical harm cannot be that
easily quantified. My 5 year son is still shocked that someone tried to break
into our neighbour's house, couple of months earlier. So security mechanisms at
my house is sort a trade-off considering the loss of tangibles and intangibles,
and how much I am willing to spend.
Business security is much more complex, but very much similar to
personal security example quoted above. It should protect the organization, its
ability to perform their mission and not just its IT assets. It should
also consider the factors like confidence loss and bad publicity, perception of
market, investors and all stakeholders. Finally is should also take into
consideration the amount of money spent on security versus the value of assets
that is being protected.
Any Risk Assessment activity starts with understanding and collecting
system related information. The paper <link given below> from NIST
elaborates on this activity. It classifies and gives details of the IT system
related information which can be collected. It also enumerates some techniques
to collect such information.
Another related activity is business impact analysis. It analyzes the
impact associated with the compromise of information assets based on a
qualitative or quantitative assessment of the sensitivity and criticality of
those assets. Identifying, classifying and associating a cost to the
information helps to concentrate on realistic threats among the innumerable
threat perceptions. It would also help in deciding quantity of investment and
any other tradeoffs which would be made with respect to security.
We automatically
do risk assessment and impact analysis when it comes to our personal security,
to ensure a comfort level. Organizations need to do the same but in a
more systematic way. Only then, they will be sure on how much to spend on
security and where to focus. It would also be a good beginning for measuring
the Security Return on Investment (RoI).






Comments