Information Security is Information Risk Management

Bob Blakley
Tivoli Systems, Inc. blakley @us, ibm.com ABSTRACT
Information security is important in proportion to an organization's dependence on information technology. When an organization's information is exposed to risk, the use of information security technology is obviously appropriate. Current information security technology, however, deals with only a small fraction of the problem of information risk. In fact, the evidence increasingly suggests that information security technology does not reduce information risk very effectively.This paper argues that we must reconsider our approach to information security from the ground up if we are to deal effectively with the problem of information risk, and proposes a new model inspired by the history of medicine.

Ellen McDermott J.P. MorganChase

Dan Geer @Stake

consequence of an event is the dollar amount of the reduction in business value which the event will cause if it occurs [Har]

1.2 Measuring Risk
A common measure of the cost of risk is "Annualized Loss Expectation," or ALE. ALE is the expected cumulative cost of risk over a period of one year as estimated in advance. For example, a chemical company estimates the probability of an explosion at one of its plants during the year 2001 as one in a million. If an explosion occurs, it will cost the company 150 million dollars in direct and indirect expenses, (for example, repair costs, legal costs, or lost business). The ALE created by the risk of a plant explosion for the year 2001 is simply: ALEffi $15,000,000 x (1/1,000,000) ffi $150 It's important to understand that the actual cost of this risk will never be that of the ALE, i.e., it will never be $150 during a particular year - it will be either $0 or $150 million. In less certain situations, the probability or the cost may be ranges rather than point estimates. If the probability of the explosion is between one in five hundred thousand and one in a m i l l i o n while the cost varies between 100 million and 200 million, the ALE would be: ALE= ($100M$200M)x (1/5 00,000.1/1,000,000 =$100.$4.00 It may be possible to estimate the probability distribution of expected loss within the range (so for example, the ALE for the example above might be uniformly distributed between $100 and $400). ALEs can also be figured based on inequalities, as is doubtless obvious.

1. I N F O R M A T I O N RISK
Information security is required because the technology applied to information creates risks. Broadly, information might be improperly disclosed (that is, its confidentiality could be compromised), modified in an inappropriate way (that is, its integrity could be compromised), or destroyed or lost (that is, its availability could be compromised). Compromise of a valuable information asset will cause dollar losses to the information's owner whether acknowledged or not; the loss could be either direct (through reduction in the value of the information asset itself) or indirect (through service interruption, damage to the reputation of the information's owner, loss of competitive advantage, legal liability, or other mechanisms).

1.1 W h a t is Risk?
In business terms, a risk is the possibility of an event which would reduce the value of the business were it to occur. Such an event is called an "adverse event." Every risk has a cost, and that cost can be (more or less precisely) quantified. The cost of a particular risk during a particular period of time is the probability of an adverse event occurring during the time period multiplied by the downside consequence of the adverse event. The probability of an event occurring is a number between zero and one, with zero representing an event which will definitely not occur and one representing an event which definitely will occur. The

2. M A N A G I N G RISK
Businesses routinely manage risk as part o f their day-to-day operations. Risks can be managed using a variety of mechanisms, including liability transfer, indemnification, mitigation, and retention.

2.1 Liability Transfer
A business can transfer liability for an adverse event to another party. This takes the risk off the business's books. Liability can be transferred in two ways: by disclaimer and by agreement. • A business disclaims liability when it undertakes an activity with the explicit understanding that it will not be held responsible for the consequences of certain adverse events, but without specifying who will be responsible for those consequences. A business transfers liability by entering into an agreement; to do this the business engages in an activity with counter-party after they both agree that the counterparty will be responsible for the consequences of certain adverse events.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is grmted without fee provided that copies are not made or dislributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redisl3"ibuteto lists, requires prior specific permission and/or a fee. NSPW'OI, September 10-13m,2002, Cioudcroll, New Mexico, USA. Copyright 2002 ACM 1-58113457-6/01/0009...$5.00.

97

To do this. In hedging schemes.4 Retention If an adverse event is not very costly or not very likely to occur. alert the business when adverse • • 2. There are two major types of indemnification: p o o l i n g and hedging. In b u s i n e s s terms this might mean foregoirtg an opportunity w h i c h has potential rewards but also carries substantial risk. i n f o r m a t i o n security is a r i s k m a n a g e m e n t discipline. • • The final information security task is an audit to determine the effectiveness o f the measures taken to protect i n f o r m a t i o n against risk. Failures o f information security are clearly adverse events which cause losses to business. If the event i s improbable. newspapers a n d trade journals carry stories o f the latest virus. or by reducing the consequences i f it does occur. whose j o b is to manage the cost o f information risk to the business. the j o b o f information risk m a n a g e m e n t is never done.: most c o m m o n type o f r i s k . a business m a y choose to retain the risk which t h e adverse event creates.i m o w n example o f riskhedging scheme. 3..p o o l i n g scheme. Cyclical industries often approach i n h e r e n t sector risk in this way. M a n y large companies do this with respect to the travel risks their employees incur. storing up funds in fat years against the lean. • 3. Being! better than others at estimating the true odds o f an adverse event can enable a business or an i n d i v i d u a l to make m o n e y on h e d g i n g schemes in the same way as easi'nns make m o n e y on card games.~. or bug in an important s e c u r i t y product. therefore. so that steps can be taken to mitigate the risks those v u l n e r a b i l i t i e s create. The public is getting the message even if the o n l y sensible reaction is dread.2. the business d e p l o y s a m i x o f processes and technical mechanisms. The consequences o f an adverse event can be reduced b y taking steps to limit the damage the event causes. or if the benefits to be realized from taking a risk are great. it is s. I f the adverse event does not happen. 3. • A business which retains risks without setting aside funds to offset their costs is said to accept retained risks. the n e x t task is to enforce the policy. obviously.s e r v i c e attack.3 M i t i g a t i o n A business can try to reduce the expected cost o f a risk. 3. These policies describe "'who should be allowed to do what" t o sensitive i n f o r m a t i o n . the business uses the m o n e y it collects from w i n n i n g the bet to defray the ccsts of the adverse event. 2. the probability o f an event can be reduced to zero by e n t i r e l y avoiding the activity which creates the risk.1 Focus Information security t e c h n o l o g y focuses primarily on r i s k mitigation. I f the adverse event does happen. Once an information security policy has been defined. • If the b u s i n e s s chooses to set aside funds to offset the cost o f retained risks.2.2 I n d e m n i f i c a t i o n A business can i n d e m n i f y itself against the consequences o f an adverse event. • In p o o l i n g schemes. either b y reducing the probability o f the adverse event occurring. information security starts with policies. These steps either prevent the damage caused by the adverse event from spreading. because the probability is high that t h e y will win the bet. • The probability o f an adverse event can be reduced b y redesigning systems or processe. I N F O R M A T I O N SECURITY Up to this point we have used examples unlrelated to information risk to illustrate risk management. The p o l i c y definition. and it d o e s n ' t do a very good j o b o f protecting businesses against even that small part. several businesses share the cost o f certain risks. W h y is i n f o r m a t i o n security failing7 We posit two r e a s o n s : information security focuses on only a small part of the problem o f information risk. pooling will decrease the cost o f risk to each organization in the pool while increasing the predictability o f the cost o f risk for each business in the pool. the business will pay off the bet. Detection measures events o c c u r . These processes and m e c h a n i s m s fall into four categories: • Protection measures (both processes and t e c h n i c a l mechanisms) aim to prevent adverse events from occurring.o f . Response measures deal with the consequences o f adverse events and return the business to a safe condition after a n event has been dealt with. other organizations or i n d i v i d u a l s are l i k e l y to take the bet. The key to a successful hedging scheme is getting the odds right on the bet. Insurance policies are th. We say "final" but. protection. Building codes that anticipate earthquakes do nothing to prevent earthquakes but they do lessen the damage that would otherwise be inevitable and uncontrolled. or they shorten the time d u r i n g which the event causes damage by accelerating d e t e c t i o n and recovery.1 W h a t is I n f o r m a t i o n Security? Where information risk is well enough understood and at least in broad terms stable. Options are the b e s t . website defacement. I n f o r m a t i o n security risk analysis processes are geared toward i m a g i n i n g and then confirming t e c h n i c a l v u l n e r a b i l i t i e s in i n f o r m a t i o n systems. If adverse events are u n l i k e l y to h a p p e n simultaneously to a m e a n i n g f u l fi'action o f the b u s i n e s s e s in the pool. and the lessons learned each time through the cycle are applied during the next cycle.iid to self-insure a g a i n s t these risks. a single business essentially places a bet that an adverse event will happen to it. and audit tasks are performed over a n d over again. Assurance measures Validate the effectiveness and proper operation o f protection. and response measures. detection. d e n i a l . Every day.2 W h a t ' s w r o n g w i t h inf or ma tio n security? It's increasingly e v i d e n t that i n f o r m a t i o n security as d e f i n e d above simply i s n ' t doing the job. for example when they rent automobiles. to eliminate the e v e n t ' s k n o w n or suspected causes. I n some cases m a n a g e m e n t will be asked to sign a risk acceptance 98 . In t h i s case. :Ln the extreme case. the bettors will have to pay the business.

and McHugh have shown [AFM]. firewall. wmlm m mmm4* mlnm vh~4 ram- lammL dm~m. The year 2000 FBI/CSI survey [CSI] nevertheless reports that use of information security technologies is very widespread close to 100% of companies responding to the FBI/CSI survey use antivirus. in favor of logical (that is. by mmow. Table 1. and the lack nfgood data may be the main reason qualitative analysis o f information security risk is not usually performed. they don't work[ 99 . and against physical cameras.2 Effectiveness The annual FBI/CSI computer crime surveys and the CERT coordination center annual summaries [CERT] have shown substantial increases in the number o f security incidents and in the dollar losses resulting from incidents in each of the past five years. though the Australian national standard for risk analysis [AS] permits the use of either qualitative or quantitative analysis. Further. And where consequence reduction is implemented.. walls. Lloyd's.. and safety (see [KBPS] for a number of examples).." Despit© the lack of actuarial data. although these are not covered in the FBI/CSI survey) do not prevent losses . A risk acceptance will typically include either a plan for future mitigation or a justification of the economic rationale for choosing not to mitigate. Information security as a discipline is often biased • • • toward technological mechanisms rather than process mechanisms. including the now withdrawn [FIPS65]. as Arbaugh.. and some of these methodologies have been included in formal information security standards." Insurers seem to agree that data is lacking. Methodologies for quantitative and mixed quentitative/qualitative information security risk analysis have been published. although some organizations do address these issues in an "operational risk" organization separate from the information security organization. Quantitative risk analysis is used extensively in disciplines other then information security. m im r~Iqv6 mTImm. it tends to focus much more strongly on quick recovery (for example. lmmIdmm Emma. mmilm. The following chart organizes information security products end processes according to the risk management activities they implement. Zurich. The authors are not aware of any current information security standard which mandates the use of a quantitative risk analysis method. etc.. by using aggressive auditing to identify the last known good state of the system) than on minimizing the magnitude of a loss through measures to prevent damage from spreading. computer hardware and software) mechanisms. and access control technologias. Information security risk analysis methodologies were developed long ago. including finance. the insurance industry typically depends on large bodies of actuarial data collected over long periods of time to develop pricing models for insurable exposures. The large majority of these standards have been qualitative . Chubb. risks arising from a vulnerability are often multiplied both by scripting of the attack and by the haphazard deployment of patches even when they are easily available. QUANTIFICATION OF I N F O R M A T I O N SECURITY RISK Risk analysis has been recognized as an important information security discipline for a long time. Quantitative information security risk management standards have been developed. The National Underwriter Company's guide to risk in the wired world [ERisk] warns: "The lack of historical data presents one of the most difficult challenges when trying to analyze online exposures. their assessment of probability and consequence of risks is based on a "low/medium/high" characterization rather than on a specific probability and a specific dollar amount of loss. and others. 4. see for example [Pelt]. because the data on the likelihood and costs associated with information security risk factors are often more limited and because risk factors are constantly changing. Furthermore. The chart clearly illustrates the problem. [GAO] explicitly acknowledges this: "Reliably assessing information security risks can be more difficult than assessing other types of risks. Recent guidelines which recommend qualitative risk analysis techniques include [GAO] and the newly issued draft t~STRMO]. many insurers (including AIG. The combination of nearly universal deployment of security technology with rapidly and steadily rising losses strongly suggests that security technologies (and processes. to retain a risk) after a risk analysis.in other words. Information security activities rarely include any discussion of indemnity or liability transfer. Qualitative information security risk management standards include the US Federal standards [FIPS31] and [FIPS191]. Fithen. mwf~ all. But in the Wired World exposures arc so new and are growing so rapidly in terms of frequency and severity that this is not an easy task. There is a large body of literature on methods for quantitative risk analysis in these fields.) mechanisms (such as locks.t h a t is. a partial list can be found in [ECov]) are offering policies which cover losses due to failures of information security. identification of a vulnerability end its exploitation are both separated in time. information security focuses more on reducing probability of an adverse event than on reducing its consequences. Good data is a prerequisite to qualitative risk analysis. But the actuarial basis for these policies is unclear.2. 3. as the National Underwriter Company [ECov] explains: "The insurance industry has worked closely Even within the category of risk minimization activities. sources include [Koll] and [Vosc]. healthcare.(that is.

The c a l c u l a t i o n o f losses needs t o be done using a uniform m e t h o d o l o g y .aside from the v e r y substantial a m o u n t required b y the accord as a baseline. w h y c a n ' t t h e y be used to help underwriters d e v e l o p assessment and u n d e r w r i t i n g tools and train c l a i m s p r o f e s s i o n a l s in t h e intricacies o f IT losses. has solicited the aid o f the t e c h n o l o g y staff o f the insurance i n d u s l r y i t s e l f in fixing the p r o b l e m : "Even t h o u g h insurance IT staffers can revert to the s a m e techie talk that t e c h n o l o g y clients use. B a n k o f A m e r i c a wrote " W e do not believe t h a t operational risks are m e a s u r a b l e using m e t h o d s and data t h a t are available at this t i m e . w h i c h governs the a m o u n t o f capital that banks must set aside as a h e d g e against risk. w h i c h security measures were bypassed.e details o f losses f r o m such p r o b l e m s as deficiencies in internal controls. whether attempting to m o d e l operational risks or not. Some m e c h a n i s m m u s t be put in place to c o m b a t t h e o b v i o u s t e m p t a t i o n s to d i s t o r t pre. requires for the first time that banks s e t aside capital to offset operational. New risks are emerging. that their risk e x p o s u r e is lower than the Basel a c c o r d ' s estimate. Incidents that are traceable t o v u l n e r a b i l i t i e s already k n o w n are one thing and will be a matter o f d i s c u s s i o n between insurers and v i c t i m s i f in n o other situation. h u m a n error. or system failure. and t h e effectiveness o f i n f o r m a t i o n security risk control measures.1 V u l n e r a b i l i t i e s A c o m p r e h e n s i v e list o f i n f o r m a t i o n security v u l n e r a b i l i t i e s needs to be developed.and p o s t . i n f o r m a t i o n needs to be gathered and regularly u p d a t e d about the ease a n d f i c q u c n c y o f exploitation..ites and rating s t r u c t u r e s for acceptable risks. So far there have b e e n r e l a t i v e l y few claims that have materially affected t h e t e c h n o l o g y industry. There will be t e m p t a t i o n s t o extrapolate from available data to less-available data.lstitutions appear to be actively m o d e l i n g o p e r a t i o n a l risk. decades. and the i n f o r m a t i o n needs to b e collected and m a d e a v a i l a b l e in a way which d o e s not create additional liabilities for the reporting organizations.aches for measuring operational risk and the m o d e l s an: largely untested. Banks which can d e m o n s t r a t e . S.3 L o s s e s F o r each incident identified. together with i n f o r m a t i o n about about the c o s t o f acquiring." W e ask a similar question: i f the IT security industry can design countermeasures and counsel clients on h o w to d e f e n d their systems. r e c o g n i z i n g t h e lack o f this k i n d o f actuarial i n f o r m a t i o n about i n f o r m a t i o n security-related losses. This i n f o r m a t i o n must be collected and m a d e available in a w a y that d e m o n s t r a b l y minimizes the p r o b a b i l i t y o f exploitation in an eccmomically harmful w a y A c o m p r e h e n s i v e list o f a v a i l a b l e securiW measures needs to b e developed. can reduce their capital set. and the i n s u r a n c e industry has had only a b r i e f p e r i o d o f t/me to scratch t h e surface for potential liabilities.. The new e c o n o m y has d i s r u p t e d t h i s equilibrium. and for r. risk (which i n c l u d e s information security risks). and m a i n t a i n i n g each s e c u r i t y measure. and ease and speed o f recovery f r o m exploitation. w h i c h security measures were defeated." The finance industry certainly sees a lack o f i n f o r m a t i o n security risk data. . some is not. A f t e r years. o r to a v o i d personal or c o r p o r a t e accountability. especially w h e n discussing IT expenditures. A large number o f financial i n s t i t u t i o n s have c o m m e n t e d [BCom] on the r e v i s e d accord. o n l y a few iJ. It is too early to establish a c t u a r i a l tables to quantify t e c h n o l o g y risks.sk.4 C o u n t e r m e a s u r e Effectiveness 4. Some i s already in g o o d supply." The R i c h m o n d Federal Reserve wrote: " W e arc concerned about t h e lack o f data on o p e r a t i o n a l risk. they are often r e q u i r e d to e x p l a i n t e c h n o l o g i c a l a d v a n c e m e n t s and enhancements to upper m a n a g e m e n t o f the insurance company. the f o l l o w i n g i n f o r m a t i o n needs to be collected. the authors caution that these temptations should be avoided. This information m u s t include w h a t vulnerabilities were e x p l o i t e d and how r e s p o n s e and recovery were handled. The National Underwriter C o m p a n y [ECov]. The A m e r i c a n B a n k e r ' s A s s o c i a t i o n wrote " . These tables end charts t y p i c a l l y deal in a w o r l d where the events that tend to cause the damages have been identified p r e v i o u s l y and p r o v i d e a basis for which the future can be predicted. handful o f banks h a v e implemented quantitative apprc. w h y c a n ' t we help underwriters d e v e l o p assessment and u n d e r w r i t i n g tools and Urain c l a i m s p r o f e s s i o n a l s in the intricacies o f IT losses? Do we h a v e something m o r e i m p o r t a n t to do7 4. . and a c k n o w l e d g e that b a n k s have been very reluctant to publici:. and t o apply risk-measurement methods which am already u n d e r s t o o d outside o f their a p p r o p r i a t e d o m a i n s o f use.2 I n c i d e n t s I n f o r m a t i o n needs to be gathered about security i n c i d e n t s experienced by businesses worldwide. We also i00 . This information needs to be collected and m a d e available in a w a y which does not create a d d i t i o n a l liabilities for the r e p o r t i n g organizations (and hence incentives to a v o i d reporting). I f t h e y can do that.with actuaries and financial anal:rsts to map out t h e calculations for the p r o b a b i l i t i e s o f loss. r e p u t a t i o n damage or lost business) with an estimate o f the m o n e t a r y losses r e s u l t i n g from these indirect losses. starting in January 2005 and based on 3 years o f a u d i t a b l e data. information needs to be c o l l e c t e d about direct m o n e t a r y losses caused by the incident and a b o u t indirect losses (for example. O n l y e. . even at a t h e o r e t i c a l level". Incidents that h i g h l i g h t p r e v i o u s l y u n k n o w n v u l n e r a b i l i t i e s m u s t b e fed back to that catalog. managing. the f i n a n c i a l analysts arc h a m p e r e d in p r e d i c t i n g hhe financial v i a b i l i t y o f insuring t e c h n o l o g y risks." In order to quantify i n f o r m a t i o n security risk. F o r each v u l n e r a b i l i t y . 4. the p r o b a b l e c o s t s for various scenarios o f loss. calculations for various p r o b a b i l i t i e s have b e e n developed. to e m b e l l i s h war stories. . F o r each incident identified.e v e n t r e a d i n e s s and p r o t e c t i o n postures and event details in order to o b s c u r e or conceal the occurrence o f events. Because the actuaries d o n ' t have the data n e e d e d to predict losses. The revised Basel accord [Basel]. WHAT DOES THE CURRENT SITUATION LOOK LIKE? W e have d e s c r i b e d a world in which we have very l i t t l e i n f o r m a t i o n about frequency o f occurrence o f adverse e v e n t s and about the seriousness o f their consequences.. and even centuries o f study. and m o d e l i n g is v e r y much in d e v e l o p m e n t . . 4. . information needs to b e collected about w h i c h security measures were in use at the t i m e o f the incident. m o s t banks have not captured the d a t a necessary to evaluate o p e r a t i o n a l ~. and how m u c h time and effort were required to circmnvant or defeat the security measures i n place.

and retention as well as mitigation. and the professional obligation to report information to "public health" authorities. indemnification. interactions with other medications. effectiveness as measured in clinical studies. contraindications and precautions. this information is based on strict quantitative studies of use of the medications included. will require assessing the costs and benefits of all risk treatment options .know very little about the effectiveness of the measures we take to prevent adverse events or alleviate their consequences. • • • Mandatory professional practitioners education and liccnsure of Systematic collection and study o f public health data Systematic observational effectiveness o f treatments studies of safety and We propose that these same developments would p u t information risk management on a sound footing.even though the human organism is still too complex to understand. drug advertising is heavily regulated. assessment o f patients during the course of therapy. And of course. 6. The world of medicine today is very different . There is no obligation whatsoever to report information which might have "public health" or "public safety" implications to an established authority (and in fact sometimes the aforementioned employment agreements and consulting contracts explicitly forbid such disclosures). routes o f administration and dosages. with no advice on how to choose among the many options). and to control the use of potentially harmful treatments. Consumption [i. No professional body exists which could discipline ethical lapses if they occurred. Again. and procedural as well as technical treatments. and patient and family education. Tuberculosis] has yielded to its wonderful influence" [OFA]). the cause or causes. or mortality rates of the conditions it describes. syptoms. interactions with drugs and medicinal herbs. signs. the information risk professional will 101 . and all Throat and Lung Troubles. which claims that "It is the most reliable preparation in the world for the cure of Coughs. There is no obligation of confidentiality to the organizations they treat . symptoms. for each condition it describes.other than those negotiated on a case-by-case basis in employment agreements or consulting contracts. pharmacokinetics. it consists entirely of lists of preparations which could be administered for each condition. the human organism was too complex to really understand. uses (including unlabelled uses). Three critical developments helped modernize western medicine: Information risk professionals should have all these things too. and advertisements are required to provide extensive information on side effects. and the safety and effectiveness of treatments (The 1900 edition of the Old Farmer's Almanac includes an advertisement for Wistar's Balsam of Wild Cherry. Needless to say. They don't hold revocable licenses (or any licenses at all). Bronchitis. The 2002 edition of the Prentice-Hall Health Professional's Drug Guide [HPDG] includes. we make specific proposals which could drive these developments into the practice of information risk management. Influenza. Today. laboratory tests and findings. pregnancy risk category. This situation looks to the authors very much like the state of medical practice in the 19th century (for a good general treatment of the development of scientific medicine. . What has made all this possible is the increased professionalism of medical practice. considerations for use in children and pregnant women. conversely. A physician has: • • • • • A specialized professional education A revocable license to practice An ethical obligation to treat patients appropriately and keep their private information in confidence A professional obligation to control (through the power o f prescription) the use of potentially harmful treatments A professional obligation to report. The 2000 Centennial Edition o f the Merck Manual [Merl7] lists. HOW SHOULD INFORMATION RISK BE MANAGED? Today. There is no ethical obligation imposed on information risk management professionals to avoid the use of ineffective or even harmful treatments. detection and response as well as prevention. related or similar conditions together with methods for distinguishing between them. for each listed medication. which includes an extensive bibliography). see [Por]. The public feared medical treatment (for good reasons. despite frequent outbreaks of serious diseases). and likely outcomes of illness causes (the 1899 first edition of the Merck Manual [Merl] contains no information about causes.e. the system we are attempting to protect (roughly composed of the global Internet and everything attached to it) is far too complex to be understood in detail. important public health information to the proper authorities. Particularly important in our view are the ethical obligation to apply only appropriate treatments and protect confidentiality of those treated.liability transfer. and prognosis and treatment regimens. In the next three sections. The people to whom these events happen have few incentives to report them. Finally.which will be maximized by optimizing cost of risk to the business rather than on minimizing probability of occurrence of adverse events. Much of this information is based on quantitative studies o f outcomes. effective risk management treatments for the problems they encounter. and s o on. based in large part on the collection and study o f quantitative data about prevalence and outcomes of illnesses and treatments. etiology and pathology information. Whooping Cough. The information risk management professional's obligation to treat appropriately. they have many incentives to suppress information about them. Choice of treatment options should be based on the welfare of the "patient" . Medical practitioners had a poor understanding of the prevalence. adverse reactions and side effects. contraindications. and methods o f diagnosis. and in many well attested cases. and widely considered medicine to be ineffective. information on action and pharmacodynamics. information risk should be treated by professionals with the characteristics of a physician. information risk management professionals have training but often no formal information risk management education. They have no formally recognized ethical obligation to use only safe. The authors posit that in the future.

incidents. Specifically. however. that m e d i c i n e has n o t always had white laboratory m i c e as models either. v u i n e r a b i l i t y . risk transfer and i n d e m n i f i c a t i o n ) . the effects o f l o s s e s . reporting to these organizations is voluntary. S o m e industries already quantify intellectual property risk i n financial terms and take steps to m. some data on risk p r e v a l e n c e and severity is c o l l e c t e d by the US FBI. q u a n t i t a t i v e o b s e r v a t i o n a l studies o f actual outcomes. Furthermore. information security t e c h n o l o g i e s are subjected t o design and i m p l e m e n t a t i o n a n a l y s e s defined b y a number o f assurance regimes (most n o t a b l y the C o m m o n Criteria [CC]). and the effectiveness o f informal:ion risk treatments. B u s i n e s s e s can also s u b m i t v o l u n t a r i l y to "seal" p r o g r a m s . the resulting d a t a should be reported (by the information risk m a n a g e m e n t professionals. I n f o r m a t i o n risk m a n a g e m e n t professionals have no training in the design o f experiments t o test effectiveness o f the m e a s u r e s t h e y design. a n d true. and wc u r g e research into the d e v e l o p m e n t o f an appropriate " s e c u r i t y m o u s e analog" for use as an effectiveness testbcd for s e c u r i t y measures. The F D A ' s process i s based on systematic. as a condition o f granting certification. and c o m p r e h e n s i v e . o b s e r v e d outcomes) m u s t rule. This is an important. not on synthetic a priori assurance o f v u l n e r a b i l i t y a v o i d a n c e . in a w a y w h i c h protects the p r i v a c y o f the o r g a n i z a t i o n s those p r o f e s s i o n a l s treat. collection o f data on information risk needs to be much m o r e regular. Probabilities of exploration must be balanced with consequences. This " P u b l i c Security Service" should collecl. and the results o f effectiveness testing done b y vendors and their contractors are a l m o s t never p u b l i s h e d .D? Today. data on t h e prevalence o f losses. and p o s s i b l y i t s external auditors. or any o t h e r e x p l i c i t measure o f the effectiveness o f security p r o t e c t i o n measures. b u t also on q u a n t i f y i n g them. rather than the o n e . However. !02 . j u s t as advanced m e d i c a l research into new drugs and the causes o f disease is carried o u t by academic m e d i c a l schools and p h a r m a c e u t i c a l research l a b s today. and on conl3"act. A w o r k s h o p p a r t i c i p a n t p o i n t e d out that the i n f o r m a t i o n security industry has no e q u i v a l e n t o f the white l a b o r a t o r y m o u s e which can be u s e d to test the effectiveness o f s e c u r i t y m e c h a n i s m s w i t h o u t h a v i n g to s u b j e c t b u s i n e s s ' p r o d u c t i o n systems to unethical levels o f risk. 7. or countermeasures are used in the c o l l e c t i o n or reporting o f this information. Some r i s k analysis m e t h o d o l o g i e s and standards already i n c o r p o r a t e r u d i m e n t a r y l o s s .be o b l i g a t e d to a v o i d the use o f risk effectiveness is d e m o n s t r a b l y low. in a w a y that respects their ethical o b l i g a t i o n t o protect the privacy o f those they treat) to the information r i s k equivalent o f a p u b l i c health service.vities can be i n t e g r a t e d across the entire spectrum o f business risks [Shim]. the authors b e l i e v e that the effectiveness o f i n f o r m a t i o n security t e c h n o l o g y w o u l d be m o s t e f f e c t i v e l y evaluated by an impartial b o d y f o l l o w i n g a process similar t o the one u s e d b y the US F o o d and D r u g A d m i n i s t r a t i o n (FDA) to approve m e d i c a l treatments for use. and only a s m a l l sample o f b u s i n e s s e s even receive the questionnaires w h i c h these b o d i e s use to c o l l e c t their s u m m a r y i n f o r m a t i o n . In the future. 6. Security t e c h n o l o g y d e v e l o p m e n t and selection should b e based on quantitative o b s e r v a t i o n a l studies o f effectiveness. Professional training in m a n a g e m e n t o f i n f o r m a t i o n s e c u r i t y risk should present a b r o a d and in'tegrated view t r e a t m e n t s (including.1 Reporting Today. i n f o r m a t i o n s e c u r i t y risks should b e characterized in Financial terms. no standard t a x o n o m i e s o f v u i n e r a b i l i t i e s . for example. B u s i n e s s e s can contract for p e n e t r a t i o n testing. information security education should be built on this kind o f c o m p r e h e n s i v e framework. and no t r a i n i n g in p u b l i s h i n g or r e v i e w i n g the results o f such experiments. the advanced research which drives t h e d e v e l o p m e n t o f new ~eatrnents and deeper u n d e r s t a n d i n g o f the causes o f risks will continue to be carried out in t h e a c a d e m i c and business c o m m u n i t i e s . the authors believe that information security r i s k assessments should focus n o t j u s t on i d e n t i f y i n g risks. and to inform p u b l i c p o l i c y decisions about i n f o r m a t i o n risk management. 8. formal. In the future.r n i t i g a t i o n focus c o m m o n today. The Public Security Service should analyze this data and p u b l i s h the results o f its analyses as a w a y to i m p r o v e the state o f In the future. uncertainty a n d d o u b t that continues to be the selling p r o p o s i t i o n for m o s t security t e c h n o l o g y . but the authors are not aware o f any c e r t i f i c a t i o n regime which requires p e n e t r a t i o n testing. Risk a s s e s s m e n t findings are e s s e n t i a l l y never shared w i t h anyone except the business being assessed. as a n n u a l i z e d loss e x p e c t a t i o n s Once risks are identified and quantified. Obviously. I n f o r m a t i o n risk should be studied by an i n d e p e n d e n t b o d y with t h e characteristics o f a p u b l i c health service. The next s e c t i o n discusses this service at m o r e length. this means t h a t information security risk e d u c a t i o n should include f i n a n c i a l and legal d i s c i p l i n e s in a d d i t i o n to the technical d i s c i p l i n e s taught today. N o s y s t e m a t i c effectiveness t e s t i n g o f information s e c u r i t y measures is done by any i n d e p e n d e n t body.e x p e c t a t i o n e s t i m a t i o n methods. The authors observe also. treatments whose i n f o r m a t i o n risk m a n a g e m e n t practice. almost all i n f o r m a t i o n sec~c~-ity risk assessments u s e qualitative rather than quantitative methods.d i m e n s i o n a l . Some risk-managemerLt experts have begun to describe h o w risk m a n a g e m e n t acti.mage risk using f i n a n c i a l instruments. process and system c o n f i g u r a t i o n audits. and includes an o n g o i n g m o n i t o r i n g p h a s e which updates safety and effectiveness information after treatments have been a p p r o v e d and are in use b y the m e d i c a l community. f~om i n f o r m a t i o n r i s k m a n a g e m e n t professionals. and other organizations. whose certifications are based on d e p l o y m e n t o f p o p u l a r technologies. CERT. HOW SHOULD INFORMATION SECURITY TECHNOLOGY BE EVALUATI~. losses. ALEs (that is. not the e m o t i o n o f a g o o d story and the fear. A t the s i m p l e s t level. observation. but t h e s e are u s u a l l y limited to a " l o w / m e d i u m / h i g h " c a t e g o r i z a t i o n with arbitrary dollar ranges assigned to the categories. HOW SHOULD INFORMATION B E STUDIED? RISK Today. the causes o f losses.

(such as the US NCSC) or governmentsponsored security laboratory (such as the CERT Coordination Center). but the direct cost o f the legal settlement ($US 470 million) represents only about SUS 12. for example. as stated in the previous section. and this does not include consideration of the more than 2700 people permanently disabled. The first author would like to acknowledge the support of the Open Group in providing an ongoing forum for his investigations into the topic of security and Risk Management. On the other hand. and specifically to the reviewer who called the issue of the ethics of quantification of losses to our attention. One argument against this point of view might be that the real cost of the loss of a life to the organization which causes the loss is not very great in some cases. a commercial organization through a seal program. and information risk management professionals do not have training in technical writing or review of other practitioners' results. assessment must include the overall risk control process. A determined effort should be made to evaluate all kinds o f protection. there seems little doubt that the Challenger launch would have been delayed and the ship saved. and used by working practitioners (not j u s t academics) in some disciplines. we believe that information security countermeasures will continue to be difficult to justify in voluntary control regimes until their effectiveness can be expressed as a quantifiable reduction o f economic losses. Information risk management professionals should be required to report regularly to the evaluation body on the effectiveness of the treatments they "prescribe" to their "patients". Information risk management professionals should.1 Tracking and Reporting Today. It must be sensitive to the rate of change in each of these parameters. Twelve thousand dollars for a human life is an uncomfortably low figure. The first point to be made in this context is that systems which pose known or suspected risks to human life or safety should be treated using techniques for managing risk in safety-critical systems. 103 . Estimates of the total cost of the Union Carbide Bhopal plant to the Union Carbide corporation vary. Finally. that society should use legal and regulatory mechanisms to mandate control o f that risk. The third point which needs to be made is that accurate quantification o f the costs of risks to human life and safety might in fact provide powerful incentives for control. and technical measures. protect against safety risks. or should. and should distribute these updates to the community of information risk management professionals. an insurers' consortium similar to Underwriters' Laboratories. if NASA had had a realistic estimate of the probability that the Space Shuttle Challenger would be destroyed. and response measures (both technical and non-technical) to quantify how each measure the affects annualized loss expectation arising from many specific k i n d s of risks. 9. Serious safety risks should be controlled using a regime which is n o t voluntary and is not based on a cost/benefit analysis. The authors do not claim that information security risk management techniques do. The second point to be made is that society must take risks it considers unacceptable out of the realm of economic 10. no equivalent of The Lancet or Journal of the American Medical Association exists to enable publication and review of information about the effectiveness o f information risk treatments. A WORD ABOUT ~ ETHICS OF RISK QUANTIFICATION A review of an earlier draft of this paper questioned whether quantification o f certain types of risks (particularly risks to human life and safety) in fmancial terms is ethically acceptable. We also believe that information security risks will be poorly understood until we do a much better job of quantification o f economic losses.the fact that a life costs a major corporation o n l y $12. Putting a price tag on a human life is certainly fraught with ethical dangers. The authors maintain that cost-justifying risk controls can only be effective if the risks can be quantified. even if they also require information security risk treatment (see for example [Leve] or [Stor] for full treatments of risk in safety-critical systems). Risk-tolerant firms may gain temporary competitive advantage against risk-averse firms by spending less on control (especially for risks with low probability o f occurrence) as long as they are lucky and the risks do not cause them losses. The evaluation body should continually update its assessments of treatment effectiveness based on the information it receives. At least in capitalist societies.While assessment o f technical vulnerabilities and the likelihood o f their exploitation should and will remain a part of information technology risk management. we do believe that all risks should be quantified to the greatest extent possible. The effectiveness of information risk treatments will change over time as the technical environment and the risk environment "in the wild" evolve. including personnel. physical.400 for each of the roughly 3800 people killed by the accident. We note in passing that journals of this sort are useful to. In summary. The impartial body which carries out evaluations could be a government agency. be professionally obligated to avoid the use o f demonstrably ineffective treatments. while the authors do not believe that every risk should be controlled using a monetary cost/benefit framework. detection. regardless of the anticipated control regime. an industry consortium such as IT-ISAC. Does this mean that quantifying this risk is ethically irresponsible? The authors think not . 8. or a combination o f some or all of the above. a consumer organization similar to Consumers' Union. If a society concludes that a certain safety risk is sufficiently serious that controlling it is mandatory. and had also had an accurate estimate o f the financial and reputation costs of this event. police laboratory personnel regularly publish in and read the Journal o f Forensic Science. justification by imposing mandatory control regimes. A C K N O W L E D G E M E N T S The authors are grateful to the anonymous reviewers. The economics o f controlling risks can be distorted b y competition.000 looks to us like a call for reform of the liability system. any risk for which there is no legally required control regime will be controlled only to the extent that the cost o f control can be economically justified.

[Merl] Merck & Co. 1996. http ://www. CERT Annual Reports. [ERisk] Lang. [HPDG] Shannon.). New York... and McHugh.. [Har] Harrington.. M. M. and Berkow. Norton & Company. Pitblado. J. 2000. 1994.: Addison-Wesley. and Niehau~. [Stor] Storey. New York.. . W. "Safeware: System Safety and Computers". Merck Research Laboratories. [Shim] Shimpi. New York. (eds. OH: National Underwriter Compemy. Boston: McGraw-Hill. Boston. Cincinnati. OH: National Underwriter Company. Cincinnati. D. S. "Merck's 1899 Manual". C SI. 1899. S. R. IEEE Computer. http://www. 2002. and Stricoff. [FIPS3 I] US Depa~h. [Por] Porter. and Stang. S.: Addison-Wesley. 2000. Mass. "Risk Management and Insurance".. R E F E R E N C E S [AS] Standards Australia. [Leve] Leveson. "'Guideline for the Analysis of Local Area Network Security". S. C. 1999.. (ed. Basel: Bank for International Settlements. Reading.. [NISTRMG] US National Institute of Standards and Technology. 1997. "The Greatest Benefit to Mankind".. R. P. 2000. Health...W. Davis.: CRC Press.. 2001. "e-Cove-age". "e-risk: Liabilities in a Wired ~'orld". R. 2001. D.. [Pelt] Peltier. 17th ed. 1996. T. W. 1974. [Basel] Bank for International Settlements. Bartell.. 104 . 1999. "Information Security Risk Analysis"... "Health Professional's Drug Guide". Clarke. "Safety-Critical Computer Systems". Fithen. J. and Safety Professionals". "The Merck Manual of Diagnosis and Therapy". Irwin/McGraw Hill. Boca Raton. [OFA] Thomas. N. L.. 1995. "Special Publication 800-30: Risk Management Guide" (Draft).Law. "Risk Assessment and Management Handbook for Environmental.. [GAO] US General Accounting Office. NJ. 2001. R. N J. Wilson. William Ware & Co. Boca Raton...html [ECov] TechRisk. Jaye.. 1900. [KBPS] Kolluru. [FIPS 191] US Department of Cmnmerce/National Institute of Standards and Technology. [Merl7] Beers.. "Computer Security Issues & Trends". "Information Security Risk Assessment: Practices of Leading Organizations".. Fla: Auerbach Publications. G.hUn [CERT] CERT. G.11. "Risk Assessment and Decision Making in Business and Industry". Fla.org/annual_rpts/index.cert. Boston. and Loesch.. 1999. Erwin. Reading. Texere. J. [Koll] Koller. "Guidelines For Automatic Data Processing Physical Security and Risk Management".ent of Con~nerce/National Bureau of Standards. N.). [AFM] Arbaugh. 1999. "Integrating Corporate Risk Management. 2000. R. [Bcom] Comments on New !Basel Capital Accord. B. Dece]mber.org/bcbs/cacomments.bis... "AS/NZS 4360:1999 Risk Management".. [CSI] Computer Security Institute ~md US FBI. 1999... Mullamey. Merck & Co.a Case Study Analysis". (eds. IEEE. Prentice Hall. "The New Basel Capital Accord". Upper Saddle River. Whitehouse Station. W.. M. "Windows of Vulnerability. Mass. 1999. "Old Farmer's Almanac".).

Sign up to vote on this title
UsefulNot useful