Browse by year:
February - 2005 - issue > Cover Feature
The metrics Quest R=AVT
Gary Bahadur
Monday, November 17, 2008
Security has always been viewed as a cost center and never associated with revenue-driving initiative. This makes it difficult to get approval, and justify security budgets and expenditures on software, hardware, personnel, services, training, processes and procedures.

In the past, the effectiveness of security spending has used soft measurements—aspects such as the size of a security staff relative to the annual budget, or by resolution speed or “patches” based on new vulnerabilities or viruses. This created residual space, because it didn’t demonstrate cost savings of preventing digital attacks.

Developing appropriate security risk metrics can help you communicate the business value of an effective security program to your organization’s senior management. Through such metrics, you can assign measurable values to your security posture, allowing you to show tangible results.

Most enterprises have finite budgets to spend on security. If, for instance, you have $100 to spend on security, where and how do you spend that money? Do you need to purchase firewall or an IDS and how does it subsequently impact your environment? Will you at some point lose the value of these devices? At what instance will you receive the most value out of your security investments? Or, are you simply wasting money?

Many IT managers cannot assess to what extent a security device is going to save them, or how much dollar loss will accrue without the use of a particular security device. Suitable security metrics is required in order to measure or track a particular impact, and without a measure of perceived savings it’s useless. Such a metrics not only helps reduce the potential of threat or vulnerability in your environment but also enables you to determine the effectiveness of information security programs.

Risk= AxVxT
Where do you begin? If you have no security policy there is nothing to base on. The control processes and procedures must be clearly articulated. With the policy in place, you need to understand the resident inventory. Next you must decide which assets need protection. If you don’t know their value, you will not know the monetary or man-hour protection of the environment you are providing.

Once you have taken inventory stock, you need to prioritize each asset based on their risk exposure. Is every single device in your environment subjected to high-risk threat? Probably not. A priority mechanism must be drawn, classifying each of the security devices into high, medium or low-risk assets. If you fail to identify what devices to protect, especially the highest risk ones, you will not profit with your security budget. It is likely that many have not prioritized your assets, but you must.
Next you must analyze what and how are your assets being subjected to vulnerabilities. Identify the threats against your environment.

Once you recognize your assets, vulnerabilities and threats you can calculate the risk. The product of these three parameters calculates risk and when each is measured the IT or security staff can apply remediation to high-risk devices followed by medium and low-risk devices.

Finally, you must ensure compliance with corporate and government regulations.
It is essential to analyze threat data on a daily or weekly basis and observe which server will subsequently be affected. You must correlate threat, assets and vulnerability frequently and change certain policies and procedures by assessing risk. This becomes a vicious cycle.

Measuring Process
Every company can develop its own measuring process. A basic metrics evaluation involves considering compliance at server, database, application, network, and desktop levels. The score could range from zero if an application or device is not implemented to five if it exists. At the server level, both the IDS and anti virus are implemented, scoring five. However, Host IDS is yet to be implemented, so the score could be zero.
Through such scoring mechanism, one clearly envisions future spending during the next IT budget.

Scoring zero on a particular item does not indicate need for investment. If you score zero on encryption and your company is in the healthcare business, then you will certainly need to invest on encryption tools to secure patient data.

However, your business may not require source code security, and if so there is no need to invest. One may not use the database at all. In some cases desktops might be solely front-end interfaces and all the storage and computing are centralized. Consequently, network and server levels security might be more important. You can similarly develop your own metrics.

Risk versus Money
You need to constantly measure risk posture. There must be continuous improvement in the security posture of the company’s environment. If you spend on anti-virus tools, you should notice fewer viruses in your environment. The key is to validate your return on security investment (RoSI).

Security spending ensures advancement. You need to show continuous environment value growth. By installing a firewall you must be able to consistently block myriad threats and vulnerabilities. Only then the investment on firewall is validated.
Consider you purchased a firewall for $1,000. Prior to having that firewall, there was a denial of service attack, slowing your Internet connection, or a hacker attack brought down your web server. It takes ten hours to replace the web server and the network bandwidth was choked for ten hours. If the loss was $100 per man-hour and the system admin team was working on it, then the loss could escalate to $10,000. By spending $1000 on a firewall, you are saving $9,000 in downtime.

You can apply this strategy to the whole environment. If you have between five and ten developers whose system goes down due to virus attacks, then you can calculate loss for the ten developers.

Attaching figures to a network’s security will aid a chief information security officer’s counterpart in the finance department assess whether the company’s security strategy is functional.

These metrics can be used as a guide for spending and resource allocation, by showing specific returns on investments and tangible change measures. The metrics can be diligently tracked, benchmarked against industry averages. Companies can also compare the scores of their individual offices to apply the right security measures to greatest risk areas in order to achieve significant cost reductions.

You now have a structure and standard to demonstrate the organizational health from a security standpoint.

Gary Bahadur is a co-founder of Foundstone, which was recently acquired by McAfee. Bahadur is an expert in strategic security software. This article is based on a presentation made by Bahadur.

Share on LinkedIn