Aujas Blog: Why measuring what you protect is important?

Quick Search

Search only in titles: Keyword:

Search in:

Date Range:

Advanced Search

Basic Search
Subscribe

Blog Entry
September 2010

Su Mo Tu We Th Fr Sa
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30
Recent Entries
1. Addressing Phishing Risk
  Monday, May 31, 2010
2. Security by the Wall
  Tuesday, March 09, 2010
3. Aujas completes 2 years of successful operations
  Wednesday, February 10, 2010
4. Aujas @ CIO Year Ahead | 2010
  Wednesday, December 16, 2009
5. The Long Tail of Security
  Monday, October 26, 2009
6. Our Psychology and Security: The way we think
  Tuesday, September 29, 2009
7. Aujas achieves Indian Computer Emergency Response Team’s (CERT-IN) Empanelment
  Monday, August 17, 2009
8. IT Amendment Act, 2008- An act to amend the IT Act 2000
  Thursday, April 02, 2009
9. It’s raining in Cloud?
  Thursday, March 19, 2009
10. Is it time for Security Analytics
  Saturday, March 07, 2009
Recent Comments
1. financial metrics on PCI Compliance in INDIA
  3/10/2010
2. Sasi Kumar on Applications Downloads – Are they from trusted websites?
  10/21/2009
3. Web developer on Applications Downloads – Are they from trusted websites?
  10/20/2009
4. Yogi on PCI DSS 1.2 and Wifi Security
  8/18/2009
5. pci compliance on PCI DSS 1.2 and Wifi Security
  6/5/2009
6. pci on PCI Compliance in INDIA
  6/4/2009
7. pci compliance on PCI Compliance in INDIA
  5/29/2009
8. Sumit on VOIP and Security
  1/29/2009
9. manjula on PCI DSS 1.2 and Wifi Security
  11/5/2008
10. Maneesh on PCI DSS 1.2 and Wifi Security
  11/5/2008
Syndicate
Monthly Archives
Category Archives
Back to Main Page

Why measuring what you protect is important?

One suggestion I always get from visitors to my house is to addadditional security measures. Instances of all sorts of potential attacks andburglary are quoted. Some suggestions are good, but some down-right impractical(apart from the fact that it is not easy to do major alterations in the house).My standard response is, the current security is enough to protect theassets in the house. At any instant, I approximately know how much I am goingto lose (in monetary terms) in case of a burglary.

Of course the psychological effects or physical harm cannot be thateasily quantified. My 5 year son is still shocked that someone tried to breakinto our neighbour's house, couple of months earlier. So security mechanisms atmy house is sort a trade-off considering the loss of tangibles and intangibles,and how much I am willing to spend.

Business security is much more complex, but very much similar topersonal security example quoted above. It should protect the organization, itsability to perform their mission and not just its IT assets. It shouldalso consider the factors like confidence loss and bad publicity, perception ofmarket, investors and all stakeholders. Finally is should also take intoconsideration the amount of money spent on security versus the value of assetsthat is being protected.

Any Risk Assessment activity starts with understanding and collectingsystem related information. The paper <link given below> from NISTelaborates on this activity. It classifies and gives details of the IT systemrelated information which can be collected. It also enumerates some techniquesto collect such information.

http://www.mirrorservice.org/sites/ftp.wiretapped.net/pub/security/info/reference/nist/draft-special-publications/sp-800-30-rev-a-draft.pdf

Another related activity is business impact analysis. It analyzes theimpact associated with the compromise of information assets based on aqualitative or quantitative assessment of the sensitivity and criticality ofthose assets. Identifying, classifying and associating a cost to theinformation helps to concentrate on realistic threats among the innumerablethreat perceptions. It would also help in deciding quantity of investment andany other tradeoffs which would be made with respect to security.

We automatically do risk assessment and impact analysis when it comes to our personal security,to ensure a comfort level. Organizations need to do the same but in amore systematic way. Only then, they will be sure on how much to spend on security and where to focus. It would also be a good beginning for measuring the Security Return on Investment (RoI).