Informazioni personali

Cerca nel blog

Translate

venerdì 26 luglio 2013

Digging it up on Security Costs and Security Budgets - part1

In my previous article, security costs and security budget, I made some assumption to simplify an introductory analysis on how much we should spend on security.

Some of those assumptions have been made to simplify out tasks.

Today I would like to quickly analyse some of those simplifications.

One of the biggest assumption I made on the previous article is that if a problem cost us X then we can find a number n that express the number of incidents I’m allowed to permit so that nX can express the cost I’m allowed to accept. This simplification was based on two ideas, the first is that (as reported in the article)

Just to translate this in terms of Systems engineering this means: would it make any difference if the service stop is due to a broken disk, a server HW failure, a software failure, a network failure or a Dos attack?
I should answer really  I DON’T CARE  since the result would be systems down anyway.

the second is that the incident cost is X and the cost remain the same for each repetition.

The truth is a little different since, again, we have to take into account some human behaviour aspects and other occurrences.

with the simplified model presented in the previous article we were able to assume that

stating C as the cost we could afford we were able to find a relation where

C=nX

would be quite easy so determine the n number of incidents since would have been

n=C/X

now the n number would have been useful when trying to determine the kind of technologies we need to put in place.

In a real environment C is not a constant because the process “P” has not a fixed value. This means that C is a function and not a constant value, and depends on some factors as the sensibility of the management, the risk perception and of course the value of the process itself.

C(P,t ….)

Of course C and the process P can be fixed to make our budget to predetermined values at a certain time “t0” for example we can consider the value of P and C at the start of the year based on the previous year experience.

on the other end it is not truth that all the incidents that make me to stop the process can cause me the same costs.

If I stop the process “P“, for example, for a HW failure I’ll have different internal impact if the stop to “P” is due to an hacking.

Even if the two occurrences make the same damage (for example think of a disk failure because of a HW failure as a broken controller, or software failure due to a virus) the perceived quality of the damage is different (and somehow irrational).

An HW failure is usually well understood and usually some mitigations are improved by design and usually well tolerated from the upper management, on the other end an Hack would be perceived as a more serious matter (and, as a matter of fact it should be).

Here we have the irrational behaviour, although an Hacking, or malware attack would be perceived as more dangerous the risk perception on those kind of aspect is so low that management do not even put some effort by design as for an HW failure.

This means that the X is different for any kind of accident and so we will not have a single “n” to count on but

csommatoriaxni

where the

niXi

are related to the different kind of incidents that can occur to the  process P

Obviously we have to take in account the fact that  niXi    are somehow critical where ni and Xi  (with n related to X both bound to a specific type of incident)  are the parameters we should use to understand what part of the budget should be allocated on a specific technology.

so here the question:

if both the incidents we talked before (HW failure and Software Hack) have to be considered how I have to deal when balancing the budget?

One way, used by most of the company, is to transfer part of the risk to another department.

This is usually the dept. in charge of storage or servers or…..

So apparently this seems a good thing, you as a security guy have to deal with less stuffs, but the reality is that a portion of the security budget is diverted on other budget voices so that you loose control and contract power when contracting your budget. Basically the problem is how you can ensure that the HW failure worths more or less money than the money related to the hack?

On the other end, an objection I usually receive is: if we put this in the security spending we we’ll see just that that budget would be reduced without further explanations.

in other words Ctot would be not equal to the sum of the two C(HW) + C(Hack)

Ctot<C(Hw)+C(Hack).

Alas security metrics are still considered too much complicated for most of the management, and this is not my statement but the result of several survey and literature, so it is hard to change this behaviour.

To Be Continued ….


[contact-form]

Digging it up on Security Costs and Security Budgets - part1

In my previous article, security costs and security budget, I made some assumption to simplify an introductory analysis on how much we should spend on security.

Some of those assumptions have been made to simplify out tasks.

Today I would like to quickly analyse some of those simplifications.

One of the biggest assumption I made on the previous article is that if a problem cost us X then we can find a number n that express the number of incidents I’m allowed to permit so that nX can express the cost I’m allowed to accept. This simplification was based on two ideas, the first is that (as reported in the article)

Just to translate this in terms of Systems engineering this means: would it make any difference if the service stop is due to a broken disk, a server HW failure, a software failure, a network failure or a Dos attack?
I should answer really  I DON’T CARE  since the result would be systems down anyway.

the second is that the incident cost is X and the cost remain the same for each repetition.

The truth is a little different since, again, we have to take into account some human behaviour aspects and other occurrences.

with the simplified model presented in the previous article we were able to assume that

stating C as the cost we could afford we were able to find a relation where

C=nX

would be quite easy so determine the n number of incidents since would have been

n=C/X

now the n number would have been useful when trying to determine the kind of technologies we need to put in place.

In a real environment C is not a constant because the process “P” has not a fixed value. This means that C is a function and not a constant value, and depends on some factors as the sensibility of the management, the risk perception and of course the value of the process itself.

C(P,t ….)

Of course C and the process P can be fixed to make our budget to predetermined values at a certain time “t0” for example we can consider the value of P and C at the start of the year based on the previous year experience.

on the other end it is not truth that all the incidents that make me to stop the process can cause me the same costs.

If I stop the process “P“, for example, for a HW failure I’ll have different internal impact if the stop to “P” is due to an hacking.

Even if the two occurrences make the same damage (for example think of a disk failure because of a HW failure as a broken controller, or software failure due to a virus) the perceived quality of the damage is different (and somehow irrational).

An HW failure is usually well understood and usually some mitigations are improved by design and usually well tolerated from the upper management, on the other end an Hack would be perceived as a more serious matter (and, as a matter of fact it should be).

Here we have the irrational behaviour, although an Hacking, or malware attack would be perceived as more dangerous the risk perception on those kind of aspect is so low that management do not even put some effort by design as for an HW failure.

This means that the X is different for any kind of accident and so we will not have a single “n” to count on but

csommatoriaxni

where the

niXi

are related to the different kind of incidents that can occur to the  process P

Obviously we have to take in account the fact that  niXi    are somehow critical where ni and Xi  (with n related to X both bound to a specific type of incident)  are the parameters we should use to understand what part of the budget should be allocated on a specific technology.

so here the question:

if both the incidents we talked before (HW failure and Software Hack) have to be considered how I have to deal when balancing the budget?

One way, used by most of the company, is to transfer part of the risk to another department.

This is usually the dept. in charge of storage or servers or…..

So apparently this seems a good thing, you as a security guy have to deal with less stuffs, but the reality is that a portion of the security budget is diverted on other budget voices so that you loose control and contract power when contracting your budget. Basically the problem is how you can ensure that the HW failure worths more or less money than the money related to the hack?

On the other end, an objection I usually receive is: if we put this in the security spending we we’ll see just that that budget would be reduced without further explanations.

in other words Ctot would be not equal to the sum of the two C(HW) + C(Hack)

Ctot<C(Hw)+C(Hack).

Alas security metrics are still considered too much complicated for most of the management, and this is not my statement but the result of several survey and literature, so it is hard to change this behaviour.

To Be Continued ….


[contact-form]

giovedì 25 luglio 2013

Security Costs and Security Budgets

When I’m talking about security with customers, partners or at an event the first question I usually receive is:

“how much this will cost to me?”

This is an understandable question, costs have to be monitored and expenditure have to be planned wisely, the problem of  how much I canshould spend on security is a quite interesting topic.

The problem, alas, is that usually IT managers do not use a clear model when planning investment in security but seamed to be attracted more by strange inner believes than a empirical analysis of cost and benefits.
Another point that I’ve always found quite curious is that I’ve been asked lot of times the ROI of a security implementation, while the only parameters taken in account are how much I will spend now and how much I would spend the next “X” years.

To be honest there is a great hole when talking about security costs in literature. One of the reason is probably that  this is quite a new area in terms of studies, on the other end there are not in the market clear and wide used models that can help us to design and understand the impact of security or un-security.

So I’m wondering if it is really possible to understand how much it is worth to spend for security and if there are guidance that can help us to drive our efforts.

The first points I take in account are two postulates:

The first one is quite simple, no matter how much you spend you will never be able to avoid any risk: perfect systems just simply does not exist. you can transfer or mitigate a Risk, but the risk itself does not disappear.

The second point means that is really hard to understand what happen and the impact of a risk. Even if we’re talking about a simple field like information security there is not an enough lever of understanding of what really happen. Dealing with risks and relative costs should involve the impact a risk can have on a business, and the aspect of this impact are, partially, unpredictable because depends on external factors, externalities and the unpredictable human behavior.

So does this means I should not care abut security?

On the contrary this means that this is a quite difficult exercise, and more study on this subject would be appreciated.
Let’s start with some considerations:

Why I need security on my IT networks?

The main reason we should secure our networks is because our networks are used to let our company make profits.

Without our networks we would not be able to handle data, communications, business process and so on.

Networks are not just a silly benefit or a luxury optional but are an integral part of our business, we live in an interconnected world, we like it or not, and networks are the instruments we use to reach our customers, sell o buy things, works and communicate.
Networks are also used for personal fun and most of the time, nowadays, the same tools can be used either to work and leisure vanishing the differentiation between the two enivornment.

As IT networks pertain to business, it pertains also to human behaviour, so we have to take in account business needs as well as human needs.

If we cannot expect that someone works 2424365 without losing concentration or productivity, as well we cannot expect to increase productivity if our systems upset their users or does not meet their standard or expectation.

Our IT networks and their components are a foundation for our business and personal relationships. this means they will be used to process data that are valuable, and a disruption of the service provided could result in a loss of money, direct or indirect.

What I’m talking about? I’m talking about your laptop that you use for work and to play or watch movies, your smartphone or tablet, your internet browsing, your Skype and your VoIP, your teleconference and videophones, your email, your home internet connection, your mobile internet edge connection, your iPad, your iPhone, your android Samsung S4, your 3d smart TV…. Everything that is under our experience is, somehow, related to IT networks and data processing.

But if IT networks are such a relevant part, and if over the network we pass such a great amount of data, we need to do something to protect the reliability of the service provided and the data we exchange through it.

So make sense to consider some money for IT security, but how much and what this means?
Of course there are several consideration to take in account when we talk about security, and a network design should implement by itself most of the security related issues: for example all the stuff related to HA, redundancy, performance and management are common fields for networks designers and IT geek.
A network should be fast, reliable and friendly to manage. But since our networks should be used also by users for business transactions and more, should be understandable, usable and the closest to user proof as possible (someone once told me that IT networks without users would have been perfect, although, he agreed, quite useless). The user experience is not secondary, but is one of the most important factor related to security and productivity (yes both).
Another important consideration: network is not for IT gurus or IT geek or Hacker and stuffs, so stop to consider user like morons (OK sometimes they seems to be, I admit it, but usually they give the same feeling also in other life and work field), users are the reason of our incomes Smile.

The need for security is not so far away from the need of a network itself, security is just one of the aspect and so should be take in account also during network design, and, at the end, security has a relevant impact on our activities.

  • What would you think if someone else read your email?
  • or if someone read your credit card transaction to steal you money?
  • or if your e-commerce site would be taken down?
  • Or if your customers would be affected by something taken in your site?
  • Or if your  employees data would be stolen?
  • or if your network would shut down for some reason?
  • Or if someone modify data of your transactions…

those kind of questions are deeply related to security issues; this is security.
So if it is quite simple to understand the issue, the problem is to understand:

  • how much make sense to spend?
  • what I need to implement?

The answers usually are:

  • the less is the better,
  • well I will never allow this in my network,

and

  • do I really need it?

Wait is this an answer for something that seems to be so important?

The problem is that network owners and managers are usually not involved in business procedures as well as in human behaviour. It is just recently that security analysis start to consider the human effect on decision and risks (not only in IT I have to say Smile).
But if the network owner is not involved in the business process design, at the same time the business owners are not involved in network design. To make them understand each other we use a shared media: money. Everything have to be converted in how much I spend and the ROI related.
Let’s say I do not like the ROI, is something really difficult to calculate, and what is worse, usually the most important parameters are not even taken into account. But anyway a good IT manager should be able to translate needs into money to allow the other managers to understand what he is talking about.

To convert IT security into money is an extraordinary difficult effort, because (remember postulate 2) I never met anyone who is able to estimate correctly the profit and loss of an IT departmentHot smile.

Let’s take some real life examples to understand what I’m talking about.

Sony security approach

Consider Sony PSN Hack;they did not spend quite anything on security to secure their networks. The reason has been, obviously, that they estimated the risk exposure and the damage of an hack quite insignificant. Alas they made a mistake and this would cost them a lot of money in terms of loss of profit for the days the network has been closed (direct loss), costs of recovery, cost of image (that at the moment I’m not able to predict but considering the coverage this hack have had I should say will cost a lot), legal cost for customers that will sue Sony….
So the network managers have not been able to explain the need of securing the networks, and I suppose this has been related partially to the fact they didn’t have a clear vision of the business model they were implementing (as well as the other managers I should say).
Do they analyse the impact of this hack when they were designing the PSN network? Do they make a risk assessment considering the loss (direct and not direct) related to such stop? I don’t think so otherwise they would have bought at least a firewall and implemented patch management strategy Smile.
I can hear their thoughts before the hack: “But, come one is just a game platform, and we need to make profit and cut costs, so why we should care about security,just marketing. we do not need it what could happen? some kid playing for free? does not worth the cost.”
As well as their thoughts after the hack: “how the hell this could be happen? nobody told us anything, someone (else) will have to pay for this.  … We did all possible we could not imagine something like that (sic)…. Hack? what’s hack? …”

  • Was so hard to suppose that someone could have broken into the network? (a global and well known one. )
  • Do they really not realize that they were processing sensible data?
  • Do they really thoughts that recover form an hack would have been quick, easy and without consequences (or minimal ones)?
The RSA way

On the other way is not assured that if you have great skills on security you’re invulnerable, as RSA hack showed us. Come on this is a security company that has been hacked in one of the most protected networks because of someone leverage Human behaviour with spear phishing email, social engineering and some good hacking work.

  • were they expecting someone would have been able to force their defences?
  • did they prepare a public communication schema to address public and customer concerns?
  • did they put in place countermeasures to protect their customers for risks related to this data loss?

RSA Hack demonstrate how much damage can be related to not direct costs, although the hack itself didn’t bring any damage to RSA products and it’s customers, costs related to bad press coverage, word of mouth and image damage has been quite high. think a RSA guy going to a customer where a competitor just told the RSA hack story…

The truth is that even if we feel confident we can be fooled. Either if we put in place security or not, we can be hacked. So it does not worth to be protected?
Those two examples are extreme situations, but most of our networks (all of them actually) could fall in between those two extreme.

The others does not feel better:

Lockheed Martin,  Honda, Toyota, Epsilon, Vodafone, Word press, Google, The Gawker media…do I have to name more hacked reality or this is enough to make you feel I’m talking about something real?
Don’t considering correctly security could be damn expensive, those days events are full of those example.

  • So is there a way to make a guideline to understand the first brick of our security wall?
  • How much would I lose if I don’t put security in place? and what I need to address correctly a problem?
  • And what are the risks I can be exposed to?

Basically the problem for an IT manager is to understand how much money he can ask to company management for security.
Well the aspects to take in account are several, the idea is to put an insurance on business process to allow continuity and minimize money loss. Apparently this is an easy task, but it is an exercise that usually IT managers don’t do not because they do not want to but because information required are not usually available.

Again we can take as an example the Sony affair, the PSN networks was used to generate revenue, and the hack stopped those revenues.

We should try to ask to ourselves: how much would this kind of security incident cost?
We have different elements that could be taken in account:

  • What is the value of the process I’m trying to protect?
  • How can I estimate is the direct loss related to the security incident?
  • Are there indirect loss related to the incident (image loss, customer disaffection, credibility loss…)?

Once we have outlined all the questions we should be able to define somehow the kind of security outbreak we’re trying to address and the relative process to secure it.

What is the value of the process I’m trying to protect?

It is not so easy to define the value of a process, we know that if we are selling a good we earn something, so we could assume that the value of this process (selling a good) is just  equal to “what I get in terms of money” – “the money I spent to make the sell”.
Alas in a world where data, trust and communication are valuable this is not enough. How much the PSN Sony network was valuable to Sony? Just only related to the money they directly collected? or there were some externalities that should have been taken in account?

To use a different point of view we can consider a best selling products as Samsung smartphone Samsung S3 and Samsung S4. The value of each sold piece was not only in the commercial deal itself, but even more important was the marketing related to the sell. Each S3 sold was increasing the marketing share the image and the strength of Samsung brand. Selling so much S3 was the key to become the anti-Apple and gain the throne with s4. I leave to marketing analyst and economist to understand how much was related to each sold piece. 🙂

As a good exercise we could try to understand the value of something just trying to consider what happen when I got a problem.

So I have the PSN network up and running, after the hack I have had to face some direct costs:

the money I did not received during the stop, the cost to rebuld the network and make it up and running again…

But then I have had to face cost related to the hungry customers so I offered something to them to make them calm down…
wait I have to make customer happy again?
This means that the value of a service is not only related to the direct revenues, but also, just as an example, to the image value that this service is providing to the company.
There are factors that rise the value of a process that can be indirectly related to the process itself but can have a strong impact in case of failure or security incident. Customer satisfaction, trust, image are just a few.

How much worth a process is outside the scope of this article, but I wanted jut to make you realize that things are not so easy at it could seems. At the end some values are just determined by a good dose of guessing Smile. We are not able to determine how is the real value, but we can make some assumption and create a target value indicator that we can use for any further analysis. But to do so we need to involve all the player of a business process.

How much can I afford to loose?

Once we’re able to determine somehow the value of something we should try to evaluate how much we can afford to lose of that value.
So, for instance, assuming that a service provide me a net value of 100day once I’ve taken out all the related direct and indirect costs, how much I can loose without forcing me to close?
Let’s say I have to stop the service for some reason, will this be acceptable? and if it is acceptable how much this service can be down without affecting my activity?
So if I have 100day I can think in a month to have 100 * 20 working days = 2000 net income
a day off will cost me 100 (I’m over simplifying, I know) .
if I stop for 5 days a month means that I would lose  500 so my net income would be 1500: can I afford this?

There is not such a standard answer, it could be yes I can or it could be no I can’t.

If I can afford the loss basically it makes no sense to address the 5 days stop problem, and maybe I can concentrate on the >5days stop problem.
What we have here is a way to measure how much money can be related to a certain problem. It does not make really any sense to understand, at this level, what can cause the problem, we’re just trying to understand the effect of the problem no matter what is the cause.
Just to translate this in terms of Systems engineering this means: would it make any difference if the service stop is due to a broken disk, a server HW failure, a software failure, a network failure or a Dos attack?
I should answer really  I DON’T CARE  since the result would be systems down anyway.

The best baseline I can create the best consideration I’ll be able to do, and some empirical experience is usually a good indicator, that means managers usually understand the value of security AFTER they have been punched (PSN affair teach Angry smile).

Risks % and Murphy’s law

We know now that we have a process that is valuable, and we know that if we have a problem it will cost us a certain amount of money “X”, and we know that we can afford to loose “nX” money where “n” is the number of incidents.

The next step is to be able to understand (or guess) what is the risk that the incident happen to me so to be able to identify “n“.
we have, basically, 3 possibilities

  • 0 chances that the incident comes: so no blocks at all
  • 100% chances that the incident happen and block me 100% of my time
  • something in between

The first possibility has simply not to be taken into account. Murphy’s law teach us that if something can go wrong it will, and this is basically truth for any engineering process. There is nothing that can be perfect and invulnerable, even Superman has his low moments (remember the Kryptonite).

This means we cannot be sure that we will never see a problems, but does not means you will see it Smile.  Sometimes incidents happens without anyone realize it, one of the most controversial areas of IT and generally speaking of process management is the analysis of the incidents.

The second bullet refers to a condition where you are 100% sure that the process will not work, this case is worthless to spend time dealing with this. If I’m sure it will not work I don’t need anything else Party smile. The process itself has no reason to exist, although is not so unusual find process implemented and never used, think of IPS and IDS implementation never actually monitored or used.

So we’re somewhere in between, the only thing we know is that we’re vulnerable Smile.
Recap the steps done till now: we know our process is valuable, and we know that we can convert this value in money terms so that the rest of the managers can understand it.
We also know how much will cost us a “general” security incident in terms of missed revenues and how much we would be allowed to loose without affecting the business.
What we need now is to understand how many chances I have to be affected by the incident. We know that this is an exercise of black magic 

The best way is to call the dark forces of evil and ask them what are their plan for the next period of time. Alas since they’re forces of evil it is hard to have a good answer, and so I think we should take some other ways to try to do this.
The best alternative way usually is statistics, baselines, and expertise.
We usually know that a disk chance to broke is generally low, mostly because by design we use redundant raid systems, as well for software and HW server failures we usually have this kind of prevision. But for a denial of service? do we actually risk one? how much?

What I have to consider when I try to understand my exposure to kacking attacks?

The answer is, again, not so easy; taking in account the process you’re trying to protect, the things that could be valuable for any external source, the risk trends, the visibility of the company and so on.  Arrghhhhhhhhhh

Turning back to Sony: appear quite clear to me the risk of being hacked was considered very low, but they did not realize that there were at least 3 factors that would have been taken into account:

1) the hack was a way to reach something valuable : user information, email, and credit cards.
the way someone value a data can differ from it’s owner, email are not considered so valuable if you’re not a marketer, but if you’re a spammer they worth the hack.
2) the Sony name was a big name and this would have turn all media and expert eyes on the hack itself, this would have magnified the damage in terms of image, as well redirecting other hackers onto the target that showed such a big vulnerability. And in effect the hack was followed by  numerous other ones.
3) Sony was dealing with some hacking problem related to the PS2 hacking code, and was exposed for its strict comment on internet piracy. This would have expose the brand also to acktivism and not only cybercrime.
Just considering those 3 factors would be clear that a hack would have been not only possible but probable.

This is something we should think more about, we need to protect our assets because they’re valuable for us, this does not means that someone outside would not find something else valuable even if we do not consider it worthy.
Sony as been hacked because hacker found something valuable that Sony managers were not valuing , this increased the risk of a security incident as well as the repetition of it.

Assuming we are so smart to understand the % of risk an incident can happen we have enough element to start to understand how much worth security and so how much we should spend on it.

Let’s do some math

If we did our homework’s and follow the simple steps provided previously we have now some elements to make some guessing,

  • A – We know more or less how much worth our process
  • B – We know more or less how much would cost us a single incident
  • C – We know how much we can afford to loose.
  • D – We know that there is some % risks that the incident will hit me.

Alas those are not static value but functions that changes during time and are strongly related to what happen at the  border, the equation able to describe the relationship between all of this elements and the external worlds are out of the scope of those articles (come on this is an introduction Angel)
Basically we are now in the process of building our insurance based on something we will negotiate internally to our team and with the management.
The idea is that I want to spend some money in order to address the incident, and I want to do it , basically, to achieve a couple of goals:

  • Lower the % of risk the incident will hit me
  • Lower the cost of the single incident

It is clear to me that we have a couple of considerations to take in account.
The security expenses cannot be higher or equal than the value we can loose. It’s worthless to protect an asset spending a bigger value than the value of the asset itself.
This means that the Total Cost of Security (TCoS) cannot be higher of A where A is the value of the process (I know those variables does not exist but I love to create those sort of things Hot smile sound so professional Nyah-Nyah)

TCoS << A

the reason is that if our protection systems costs close to the value of the process would be useless.

On the other end we knows that TCoS should be lower than C, this is because if security costs the same amount we are ready to lose there would not be any good reason to spend those money. So

<

p style=”text-align:center;”>TCoS <<C

At the same times we know that TCoS is related to the value D and the kind of security incident (Can I call it SI? ) basically TCoS can be represented by a function of some variables:

TCoS=F(C, t, SI, D)

where “t” is the time.
Basically TCoS is the highest amount of money I can afford to pay to protect my process. But we know that this is a target value and the management will newer allow to spend this, so we will have just a fraction of this value, let’s call it the Available Total Cost of Security (ATCoS).

We will have that ATCoS << TCoS  basically the amount of money we will be able to allocate for security is just a small fraction of what we should spend.

Why ATCoS is sensibly lower than  TCoS? The basic reasons are related to the:

  • great dose of guessing that we use to determine A, B, C and D functions.
  • negotiation with the management in order to allocate resources
  • a usually very low understanding of the implication of security in business
  • some strong cultural barrier to understand the impacts of new technologies
  • bad capability to present the value of a solution in understandable terms for the management
  • mix of allocated security resources in different departments and

Of course I strongly doubt that there is any IT man that create it’s own Total Cost of Security function so we usually use some empirical experience to guide us and some easy rules:

  • 1) the less is the better
  • 2) the less is the better
  • 3) they will never give me what I need
  • 4) they do not understand
  • X) have I told the less is the better?

Some tricks can be used when trying to define a security budget, the first of all is to find a sponsor, and marketing usually is a good resource. We should be able to point out the risks related to the image and the bad influence that some security risks can have.
think again about Sony affair, but also to Honda and the other big firms that have been targeted recently.
The second trick is to be aligned on what is happening in the world in the security space.

You do not have to be a guru, just you need to find good and impressive events that can be used in a discussion to enforce your point. Those days are full of events, just use Google news or similar service to have in your mail a updated recap. would be useful for us to be able to explain our needs (the company needs actually) by examples.
If Sony PSN Networks Managers would have been instructed that identity thefts are so common nowadays and can be so destructive in terms of image probably would have adopted a completely different approach to security.
The two parameters TCoS and ATCoS are also a function of times and communication effort spent, if there are a lot of security warnings and previous incidents experience those two parameters changes
Again if we think about the Sony PSN affair  we have had pre-incident a TCoS that was close to 0 and consequently the ATCoS was basically 0.
What drive the TCoS close to 0 was the misunderstanding of the % of risks of an incident to occur “D” and the cost of the incident itself “B”.

If we look at what happened it appears clear that the risk of the incident was underestimated just because managers were not taking into account the damage would have result form the hacking (remember, it’s not just the direct costs…) and were not taking in account that there was something valuable for other (personal data) that could have been reached. Likewise they did not took in account the consequences in terms of emulation and acktivism.

Once again we have to remember that security is something that require cross-functional experience to be correctly evaluated.
At the end to have an idea of the value of ATCoS we should make some assumption, take some agreement and do some negotiation. But is this enough?

Sony affair teach us that there is another term of the equation that should be taken into account: the minimum cost of security I’m allowed to put in place.

This quantity is the minimum expense I have to budget in order to provide a minimumlifesaver level of security.
If we call mTCoS the Minimum Total Cost of Security we should assume that

0<<mTC0S<ATCos<<TCoS

The mimum Total Cost of Security is what make sense to spend in order to provide a minimum level of security in our systems.
It is related to several constrains:

  • How much I can loose in case of incident
  • legalcontract requirement
  • the technical aspect of the implementation of the solution:
    • direct costs of implementation (project, devices, training)
    • personnel
    • managementsupport
  • business impact of the implementation

mTCoS is a key parameter when negotiating with the management, this is the lowest level you can go in terms of resources, if you do not even reach this level you will not able to provide the level of service that can avoid the function we defined at point C (how much we can afford to loose in case of incident)
since mTCoS is <<TCoS it is obvious that is also << of the value expressed in the function a point “C”
If mTCoS is close to TCoS this means we have no margin for negotiation (and this is really bad, believe me) or we made the wrong assumption.
Although this condition appear to be far from be real, there are areas where security expenditure are usually calculated with a mTCos close to TCoS. The typical example is the Storage area, where security (well part of it) is usually integrated in the solution, so nobody consider a Raid implementation an extra security level anymore.

When we have this kind of situation, a sort of undisputed must to have, the negotiation is really easier. There are some other areas where this security approach can be taken, think, for example, about the desktoplaptop implementation of an antivirus client.

How rational is this kind of approach? Well usually this is an approach consolidated and taken for correct without any critical analysis. The risk here is to avoid to take in consideration solution that can provide a better coverage of the security needs and security needs change every day.
We need to be able to estimate the mTCoS in order to negotiate our security budget to do so we need some tools and instruments, that should be generally used also for our routine management and IT budget calculation.
I don’t spend a word now about legal constrains, but I would like to make some considerations upon the technical aspect.
If we know that we need a minimum level of security we should be able to measure it, make confronts versus a data baseline that can help us to understand if we are doing the right thing or not, make some measurement on the changing threat landscape and some forecast.
All this require some statistical knowledge, at least at high and light level,  to forecast what we need and we’ll need.
But here comes an area where people makes a lot of mistakes and I would like to spend a few words on it.

The trucks and the wheels

Let’s assume there is a statistics that say the average wheels for a truck is 5, what do you understand?
If you aspect to find a 5 wheels truck on the road you should have a problem Smile!
If the average wheels are 5 it could means you have some trucks with 4 and some with 6 let’s say 50% and 50%.

With only two options understanding this is quite easy, but if the output options are higher sometimes is hard to understand statistics.

This is quite common in the security space where the interactions between aspects that are, apparently, unrelated are enormous.

Alas a lot of people in the security space is looking for the 5 wheels trucks and does not check the 4 and 6 ones. Sometimes we concentrate just on some aspect of the process because we think are the only relevant objects, and do not analyse the process itself; the result is that we focus on the wrong target or, better, we invest more money on the 5 wheels truck hunting than on the 4 and 6 ones.
The result is that we miscalculate the element that are used to calculate the mTCoS diverting resources to some other things.
The classical example is the email management.
It is quite common to implement an anti-spam solution, but spam is not considered in the whole aspect,is just considered an annoying thing to deal with because managers can complain.
As well some content filter policies are implemented but without a real understanding of the consequences and potential threats or productivity impact.
The result is a set of policy and security services that, from a security perspective, does not actually make any sense, and the money invested basically does not provide the level of service that with the  mTCoS should be provided.

Since probably the mTCoS has not even been calculated (it require the definition of the process we need to secure and the relative minimum level of service) this simply means that security implementation does not address a security concerns but just some random aspects with, probably, a sub-optimal allocation of resources

IT managers don’t allow to exchange executable files through the mail, but at the same time allow to use external webmail without restriction.

Use anti spam gateway systems but do not provide an antimalware gateway system to protect form the few mail that can pass through the solution even if mails are 99.9% html based.

Provide some security effort to protect mail client but the allow users to use their unprotected smartphone or tablet.

So while we’re looking for our 5 wheels security  truck a lot of other vehicles pass under our noses.

Understanding what we have to look for to secure a process is mandatory in order to be able to analyse costs.

The mTCoS is strictly related with the process we want to secure and the minimum level of service we can accept.

To be able to calculate mTCoS we should be able to understand:

how the process works :components, storage, users, structure …
how (if) the process is related to other process
which kind of data are of any interest to secure within the process

The best approach is to minimize the process structure and divide it in smaller elements that can be analysed in an easier way.

The final mTCoS will be the sum of all the mTCoSx provided for every subsystem.

so basically if we have a process P we can divide it different sub-steps p

and the resultant mTCoS will be (more or less)

First we should try to find out what process we want to protect and determine the minimum level of service we can accept, then we should be able to divide it in smaller process to make our task easier and define for each smaller process requirement and interaction.

Once we have created our process model we can finally define which are the risks for each sub process and the whole process that we should consider in order to give the required level of service.

Once we have defined the risks and process we can prioritize them in an arbitrary way considering some aspects: the impact of the risk, the percentage that that event can occur.

The final step of this operation is to watch the market to see products and technologies that address our list of risks in order to secure our process at an acceptable level and define our mTCoS.

Of course we should do a little exercise of imagination when dealing with risks:  how much can we transfer? how much can we mitigate? How much can we recover? …?
Several technologies offers different approach and different costs for the several aspect of risk management.

Just theory?

Believe or not this is an approach that can drive our expenditure in the right direction, that is not spend the less possible, but spend the correct amount of money do address correctly the problems I need in order to provide the level of services requiredrequested.

On the other end we can use the Sony approach :) but remember spending “0″ or “100″ without a correct plan is equally a nonsense.

[contact-form]

To be continued….
 

Security Costs and Security Budgets

When I’m talking about security with customers, partners or at an event the first question I usually receive is:

“how much this will cost to me?”

This is an understandable question, costs have to be monitored and expenditure have to be planned wisely, the problem of  how much I canshould spend on security is a quite interesting topic.

The problem, alas, is that usually IT managers do not use a clear model when planning investment in security but seamed to be attracted more by strange inner believes than a empirical analysis of cost and benefits.
Another point that I’ve always found quite curious is that I’ve been asked lot of times the ROI of a security implementation, while the only parameters taken in account are how much I will spend now and how much I would spend the next “X” years.

To be honest there is a great hole when talking about security costs in literature. One of the reason is probably that  this is quite a new area in terms of studies, on the other end there are not in the market clear and wide used models that can help us to design and understand the impact of security or un-security.

So I’m wondering if it is really possible to understand how much it is worth to spend for security and if there are guidance that can help us to drive our efforts.

The first points I take in account are two postulates:

The first one is quite simple, no matter how much you spend you will never be able to avoid any risk: perfect systems just simply does not exist. you can transfer or mitigate a Risk, but the risk itself does not disappear.

The second point means that is really hard to understand what happen and the impact of a risk. Even if we’re talking about a simple field like information security there is not an enough lever of understanding of what really happen. Dealing with risks and relative costs should involve the impact a risk can have on a business, and the aspect of this impact are, partially, unpredictable because depends on external factors, externalities and the unpredictable human behavior.

So does this means I should not care abut security?

On the contrary this means that this is a quite difficult exercise, and more study on this subject would be appreciated.
Let’s start with some considerations:

Why I need security on my IT networks?

The main reason we should secure our networks is because our networks are used to let our company make profits.

Without our networks we would not be able to handle data, communications, business process and so on.

Networks are not just a silly benefit or a luxury optional but are an integral part of our business, we live in an interconnected world, we like it or not, and networks are the instruments we use to reach our customers, sell o buy things, works and communicate.
Networks are also used for personal fun and most of the time, nowadays, the same tools can be used either to work and leisure vanishing the differentiation between the two enivornment.

As IT networks pertain to business, it pertains also to human behaviour, so we have to take in account business needs as well as human needs.

If we cannot expect that someone works 2424365 without losing concentration or productivity, as well we cannot expect to increase productivity if our systems upset their users or does not meet their standard or expectation.

Our IT networks and their components are a foundation for our business and personal relationships. this means they will be used to process data that are valuable, and a disruption of the service provided could result in a loss of money, direct or indirect.

What I’m talking about? I’m talking about your laptop that you use for work and to play or watch movies, your smartphone or tablet, your internet browsing, your Skype and your VoIP, your teleconference and videophones, your email, your home internet connection, your mobile internet edge connection, your iPad, your iPhone, your android Samsung S4, your 3d smart TV…. Everything that is under our experience is, somehow, related to IT networks and data processing.

But if IT networks are such a relevant part, and if over the network we pass such a great amount of data, we need to do something to protect the reliability of the service provided and the data we exchange through it.

So make sense to consider some money for IT security, but how much and what this means?
Of course there are several consideration to take in account when we talk about security, and a network design should implement by itself most of the security related issues: for example all the stuff related to HA, redundancy, performance and management are common fields for networks designers and IT geek.
A network should be fast, reliable and friendly to manage. But since our networks should be used also by users for business transactions and more, should be understandable, usable and the closest to user proof as possible (someone once told me that IT networks without users would have been perfect, although, he agreed, quite useless). The user experience is not secondary, but is one of the most important factor related to security and productivity (yes both).
Another important consideration: network is not for IT gurus or IT geek or Hacker and stuffs, so stop to consider user like morons (OK sometimes they seems to be, I admit it, but usually they give the same feeling also in other life and work field), users are the reason of our incomes Smile.

The need for security is not so far away from the need of a network itself, security is just one of the aspect and so should be take in account also during network design, and, at the end, security has a relevant impact on our activities.

  • What would you think if someone else read your email?
  • or if someone read your credit card transaction to steal you money?
  • or if your e-commerce site would be taken down?
  • Or if your customers would be affected by something taken in your site?
  • Or if your  employees data would be stolen?
  • or if your network would shut down for some reason?
  • Or if someone modify data of your transactions…

those kind of questions are deeply related to security issues; this is security.
So if it is quite simple to understand the issue, the problem is to understand:

  • how much make sense to spend?
  • what I need to implement?

The answers usually are:

  • the less is the better,
  • well I will never allow this in my network,

and

  • do I really need it?

Wait is this an answer for something that seems to be so important?

The problem is that network owners and managers are usually not involved in business procedures as well as in human behaviour. It is just recently that security analysis start to consider the human effect on decision and risks (not only in IT I have to say Smile).
But if the network owner is not involved in the business process design, at the same time the business owners are not involved in network design. To make them understand each other we use a shared media: money. Everything have to be converted in how much I spend and the ROI related.
Let’s say I do not like the ROI, is something really difficult to calculate, and what is worse, usually the most important parameters are not even taken into account. But anyway a good IT manager should be able to translate needs into money to allow the other managers to understand what he is talking about.

To convert IT security into money is an extraordinary difficult effort, because (remember postulate 2) I never met anyone who is able to estimate correctly the profit and loss of an IT departmentHot smile.

Let’s take some real life examples to understand what I’m talking about.

Sony security approach

Consider Sony PSN Hack;they did not spend quite anything on security to secure their networks. The reason has been, obviously, that they estimated the risk exposure and the damage of an hack quite insignificant. Alas they made a mistake and this would cost them a lot of money in terms of loss of profit for the days the network has been closed (direct loss), costs of recovery, cost of image (that at the moment I’m not able to predict but considering the coverage this hack have had I should say will cost a lot), legal cost for customers that will sue Sony….
So the network managers have not been able to explain the need of securing the networks, and I suppose this has been related partially to the fact they didn’t have a clear vision of the business model they were implementing (as well as the other managers I should say).
Do they analyse the impact of this hack when they were designing the PSN network? Do they make a risk assessment considering the loss (direct and not direct) related to such stop? I don’t think so otherwise they would have bought at least a firewall and implemented patch management strategy Smile.
I can hear their thoughts before the hack: “But, come one is just a game platform, and we need to make profit and cut costs, so why we should care about security,just marketing. we do not need it what could happen? some kid playing for free? does not worth the cost.”
As well as their thoughts after the hack: “how the hell this could be happen? nobody told us anything, someone (else) will have to pay for this.  … We did all possible we could not imagine something like that (sic)…. Hack? what’s hack? …”

  • Was so hard to suppose that someone could have broken into the network? (a global and well known one. )
  • Do they really not realize that they were processing sensible data?
  • Do they really thoughts that recover form an hack would have been quick, easy and without consequences (or minimal ones)?
The RSA way

On the other way is not assured that if you have great skills on security you’re invulnerable, as RSA hack showed us. Come on this is a security company that has been hacked in one of the most protected networks because of someone leverage Human behaviour with spear phishing email, social engineering and some good hacking work.

  • were they expecting someone would have been able to force their defences?
  • did they prepare a public communication schema to address public and customer concerns?
  • did they put in place countermeasures to protect their customers for risks related to this data loss?

RSA Hack demonstrate how much damage can be related to not direct costs, although the hack itself didn’t bring any damage to RSA products and it’s customers, costs related to bad press coverage, word of mouth and image damage has been quite high. think a RSA guy going to a customer where a competitor just told the RSA hack story…

The truth is that even if we feel confident we can be fooled. Either if we put in place security or not, we can be hacked. So it does not worth to be protected?
Those two examples are extreme situations, but most of our networks (all of them actually) could fall in between those two extreme.

The others does not feel better:

Lockheed Martin,  Honda, Toyota, Epsilon, Vodafone, Word press, Google, The Gawker media…do I have to name more hacked reality or this is enough to make you feel I’m talking about something real?
Don’t considering correctly security could be damn expensive, those days events are full of those example.

  • So is there a way to make a guideline to understand the first brick of our security wall?
  • How much would I lose if I don’t put security in place? and what I need to address correctly a problem?
  • And what are the risks I can be exposed to?

Basically the problem for an IT manager is to understand how much money he can ask to company management for security.
Well the aspects to take in account are several, the idea is to put an insurance on business process to allow continuity and minimize money loss. Apparently this is an easy task, but it is an exercise that usually IT managers don’t do not because they do not want to but because information required are not usually available.

Again we can take as an example the Sony affair, the PSN networks was used to generate revenue, and the hack stopped those revenues.

We should try to ask to ourselves: how much would this kind of security incident cost?
We have different elements that could be taken in account:

  • What is the value of the process I’m trying to protect?
  • How can I estimate is the direct loss related to the security incident?
  • Are there indirect loss related to the incident (image loss, customer disaffection, credibility loss…)?

Once we have outlined all the questions we should be able to define somehow the kind of security outbreak we’re trying to address and the relative process to secure it.

What is the value of the process I’m trying to protect?

It is not so easy to define the value of a process, we know that if we are selling a good we earn something, so we could assume that the value of this process (selling a good) is just  equal to “what I get in terms of money” – “the money I spent to make the sell”.
Alas in a world where data, trust and communication are valuable this is not enough. How much the PSN Sony network was valuable to Sony? Just only related to the money they directly collected? or there were some externalities that should have been taken in account?

To use a different point of view we can consider a best selling products as Samsung smartphone Samsung S3 and Samsung S4. The value of each sold piece was not only in the commercial deal itself, but even more important was the marketing related to the sell. Each S3 sold was increasing the marketing share the image and the strength of Samsung brand. Selling so much S3 was the key to become the anti-Apple and gain the throne with s4. I leave to marketing analyst and economist to understand how much was related to each sold piece. 🙂

As a good exercise we could try to understand the value of something just trying to consider what happen when I got a problem.

So I have the PSN network up and running, after the hack I have had to face some direct costs:

the money I did not received during the stop, the cost to rebuld the network and make it up and running again…

But then I have had to face cost related to the hungry customers so I offered something to them to make them calm down…
wait I have to make customer happy again?
This means that the value of a service is not only related to the direct revenues, but also, just as an example, to the image value that this service is providing to the company.
There are factors that rise the value of a process that can be indirectly related to the process itself but can have a strong impact in case of failure or security incident. Customer satisfaction, trust, image are just a few.

How much worth a process is outside the scope of this article, but I wanted jut to make you realize that things are not so easy at it could seems. At the end some values are just determined by a good dose of guessing Smile. We are not able to determine how is the real value, but we can make some assumption and create a target value indicator that we can use for any further analysis. But to do so we need to involve all the player of a business process.

How much can I afford to loose?

Once we’re able to determine somehow the value of something we should try to evaluate how much we can afford to lose of that value.
So, for instance, assuming that a service provide me a net value of 100day once I’ve taken out all the related direct and indirect costs, how much I can loose without forcing me to close?
Let’s say I have to stop the service for some reason, will this be acceptable? and if it is acceptable how much this service can be down without affecting my activity?
So if I have 100day I can think in a month to have 100 * 20 working days = 2000 net income
a day off will cost me 100 (I’m over simplifying, I know) .
if I stop for 5 days a month means that I would lose  500 so my net income would be 1500: can I afford this?

There is not such a standard answer, it could be yes I can or it could be no I can’t.

If I can afford the loss basically it makes no sense to address the 5 days stop problem, and maybe I can concentrate on the >5days stop problem.
What we have here is a way to measure how much money can be related to a certain problem. It does not make really any sense to understand, at this level, what can cause the problem, we’re just trying to understand the effect of the problem no matter what is the cause.
Just to translate this in terms of Systems engineering this means: would it make any difference if the service stop is due to a broken disk, a server HW failure, a software failure, a network failure or a Dos attack?
I should answer really  I DON’T CARE  since the result would be systems down anyway.

The best baseline I can create the best consideration I’ll be able to do, and some empirical experience is usually a good indicator, that means managers usually understand the value of security AFTER they have been punched (PSN affair teach Angry smile).

Risks % and Murphy’s law

We know now that we have a process that is valuable, and we know that if we have a problem it will cost us a certain amount of money “X”, and we know that we can afford to loose “nX” money where “n” is the number of incidents.

The next step is to be able to understand (or guess) what is the risk that the incident happen to me so to be able to identify “n“.
we have, basically, 3 possibilities

  • 0 chances that the incident comes: so no blocks at all
  • 100% chances that the incident happen and block me 100% of my time
  • something in between

The first possibility has simply not to be taken into account. Murphy’s law teach us that if something can go wrong it will, and this is basically truth for any engineering process. There is nothing that can be perfect and invulnerable, even Superman has his low moments (remember the Kryptonite).

This means we cannot be sure that we will never see a problems, but does not means you will see it Smile.  Sometimes incidents happens without anyone realize it, one of the most controversial areas of IT and generally speaking of process management is the analysis of the incidents.

The second bullet refers to a condition where you are 100% sure that the process will not work, this case is worthless to spend time dealing with this. If I’m sure it will not work I don’t need anything else Party smile. The process itself has no reason to exist, although is not so unusual find process implemented and never used, think of IPS and IDS implementation never actually monitored or used.

So we’re somewhere in between, the only thing we know is that we’re vulnerable Smile.
Recap the steps done till now: we know our process is valuable, and we know that we can convert this value in money terms so that the rest of the managers can understand it.
We also know how much will cost us a “general” security incident in terms of missed revenues and how much we would be allowed to loose without affecting the business.
What we need now is to understand how many chances I have to be affected by the incident. We know that this is an exercise of black magic 

The best way is to call the dark forces of evil and ask them what are their plan for the next period of time. Alas since they’re forces of evil it is hard to have a good answer, and so I think we should take some other ways to try to do this.
The best alternative way usually is statistics, baselines, and expertise.
We usually know that a disk chance to broke is generally low, mostly because by design we use redundant raid systems, as well for software and HW server failures we usually have this kind of prevision. But for a denial of service? do we actually risk one? how much?

What I have to consider when I try to understand my exposure to kacking attacks?

The answer is, again, not so easy; taking in account the process you’re trying to protect, the things that could be valuable for any external source, the risk trends, the visibility of the company and so on.  Arrghhhhhhhhhh

Turning back to Sony: appear quite clear to me the risk of being hacked was considered very low, but they did not realize that there were at least 3 factors that would have been taken into account:

1) the hack was a way to reach something valuable : user information, email, and credit cards.
the way someone value a data can differ from it’s owner, email are not considered so valuable if you’re not a marketer, but if you’re a spammer they worth the hack.
2) the Sony name was a big name and this would have turn all media and expert eyes on the hack itself, this would have magnified the damage in terms of image, as well redirecting other hackers onto the target that showed such a big vulnerability. And in effect the hack was followed by  numerous other ones.
3) Sony was dealing with some hacking problem related to the PS2 hacking code, and was exposed for its strict comment on internet piracy. This would have expose the brand also to acktivism and not only cybercrime.
Just considering those 3 factors would be clear that a hack would have been not only possible but probable.

This is something we should think more about, we need to protect our assets because they’re valuable for us, this does not means that someone outside would not find something else valuable even if we do not consider it worthy.
Sony as been hacked because hacker found something valuable that Sony managers were not valuing , this increased the risk of a security incident as well as the repetition of it.

Assuming we are so smart to understand the % of risk an incident can happen we have enough element to start to understand how much worth security and so how much we should spend on it.

Let’s do some math

If we did our homework’s and follow the simple steps provided previously we have now some elements to make some guessing,

  • A – We know more or less how much worth our process
  • B – We know more or less how much would cost us a single incident
  • C – We know how much we can afford to loose.
  • D – We know that there is some % risks that the incident will hit me.

Alas those are not static value but functions that changes during time and are strongly related to what happen at the  border, the equation able to describe the relationship between all of this elements and the external worlds are out of the scope of those articles (come on this is an introduction Angel)
Basically we are now in the process of building our insurance based on something we will negotiate internally to our team and with the management.
The idea is that I want to spend some money in order to address the incident, and I want to do it , basically, to achieve a couple of goals:

  • Lower the % of risk the incident will hit me
  • Lower the cost of the single incident

It is clear to me that we have a couple of considerations to take in account.
The security expenses cannot be higher or equal than the value we can loose. It’s worthless to protect an asset spending a bigger value than the value of the asset itself.
This means that the Total Cost of Security (TCoS) cannot be higher of A where A is the value of the process (I know those variables does not exist but I love to create those sort of things Hot smile sound so professional Nyah-Nyah)

TCoS << A

the reason is that if our protection systems costs close to the value of the process would be useless.

On the other end we knows that TCoS should be lower than C, this is because if security costs the same amount we are ready to lose there would not be any good reason to spend those money. So

<

p style=”text-align:center;”>TCoS <<C

At the same times we know that TCoS is related to the value D and the kind of security incident (Can I call it SI? ) basically TCoS can be represented by a function of some variables:

TCoS=F(C, t, SI, D)

where “t” is the time.
Basically TCoS is the highest amount of money I can afford to pay to protect my process. But we know that this is a target value and the management will newer allow to spend this, so we will have just a fraction of this value, let’s call it the Available Total Cost of Security (ATCoS).

We will have that ATCoS << TCoS  basically the amount of money we will be able to allocate for security is just a small fraction of what we should spend.

Why ATCoS is sensibly lower than  TCoS? The basic reasons are related to the:

  • great dose of guessing that we use to determine A, B, C and D functions.
  • negotiation with the management in order to allocate resources
  • a usually very low understanding of the implication of security in business
  • some strong cultural barrier to understand the impacts of new technologies
  • bad capability to present the value of a solution in understandable terms for the management
  • mix of allocated security resources in different departments and

Of course I strongly doubt that there is any IT man that create it’s own Total Cost of Security function so we usually use some empirical experience to guide us and some easy rules:

  • 1) the less is the better
  • 2) the less is the better
  • 3) they will never give me what I need
  • 4) they do not understand
  • X) have I told the less is the better?

Some tricks can be used when trying to define a security budget, the first of all is to find a sponsor, and marketing usually is a good resource. We should be able to point out the risks related to the image and the bad influence that some security risks can have.
think again about Sony affair, but also to Honda and the other big firms that have been targeted recently.
The second trick is to be aligned on what is happening in the world in the security space.

You do not have to be a guru, just you need to find good and impressive events that can be used in a discussion to enforce your point. Those days are full of events, just use Google news or similar service to have in your mail a updated recap. would be useful for us to be able to explain our needs (the company needs actually) by examples.
If Sony PSN Networks Managers would have been instructed that identity thefts are so common nowadays and can be so destructive in terms of image probably would have adopted a completely different approach to security.
The two parameters TCoS and ATCoS are also a function of times and communication effort spent, if there are a lot of security warnings and previous incidents experience those two parameters changes
Again if we think about the Sony PSN affair  we have had pre-incident a TCoS that was close to 0 and consequently the ATCoS was basically 0.
What drive the TCoS close to 0 was the misunderstanding of the % of risks of an incident to occur “D” and the cost of the incident itself “B”.

If we look at what happened it appears clear that the risk of the incident was underestimated just because managers were not taking into account the damage would have result form the hacking (remember, it’s not just the direct costs…) and were not taking in account that there was something valuable for other (personal data) that could have been reached. Likewise they did not took in account the consequences in terms of emulation and acktivism.

Once again we have to remember that security is something that require cross-functional experience to be correctly evaluated.
At the end to have an idea of the value of ATCoS we should make some assumption, take some agreement and do some negotiation. But is this enough?

Sony affair teach us that there is another term of the equation that should be taken into account: the minimum cost of security I’m allowed to put in place.

This quantity is the minimum expense I have to budget in order to provide a minimumlifesaver level of security.
If we call mTCoS the Minimum Total Cost of Security we should assume that

0<<mTC0S<ATCos<<TCoS

The mimum Total Cost of Security is what make sense to spend in order to provide a minimum level of security in our systems.
It is related to several constrains:

  • How much I can loose in case of incident
  • legalcontract requirement
  • the technical aspect of the implementation of the solution:
    • direct costs of implementation (project, devices, training)
    • personnel
    • managementsupport
  • business impact of the implementation

mTCoS is a key parameter when negotiating with the management, this is the lowest level you can go in terms of resources, if you do not even reach this level you will not able to provide the level of service that can avoid the function we defined at point C (how much we can afford to loose in case of incident)
since mTCoS is <<TCoS it is obvious that is also << of the value expressed in the function a point “C”
If mTCoS is close to TCoS this means we have no margin for negotiation (and this is really bad, believe me) or we made the wrong assumption.
Although this condition appear to be far from be real, there are areas where security expenditure are usually calculated with a mTCos close to TCoS. The typical example is the Storage area, where security (well part of it) is usually integrated in the solution, so nobody consider a Raid implementation an extra security level anymore.

When we have this kind of situation, a sort of undisputed must to have, the negotiation is really easier. There are some other areas where this security approach can be taken, think, for example, about the desktoplaptop implementation of an antivirus client.

How rational is this kind of approach? Well usually this is an approach consolidated and taken for correct without any critical analysis. The risk here is to avoid to take in consideration solution that can provide a better coverage of the security needs and security needs change every day.
We need to be able to estimate the mTCoS in order to negotiate our security budget to do so we need some tools and instruments, that should be generally used also for our routine management and IT budget calculation.
I don’t spend a word now about legal constrains, but I would like to make some considerations upon the technical aspect.
If we know that we need a minimum level of security we should be able to measure it, make confronts versus a data baseline that can help us to understand if we are doing the right thing or not, make some measurement on the changing threat landscape and some forecast.
All this require some statistical knowledge, at least at high and light level,  to forecast what we need and we’ll need.
But here comes an area where people makes a lot of mistakes and I would like to spend a few words on it.

The trucks and the wheels

Let’s assume there is a statistics that say the average wheels for a truck is 5, what do you understand?
If you aspect to find a 5 wheels truck on the road you should have a problem Smile!
If the average wheels are 5 it could means you have some trucks with 4 and some with 6 let’s say 50% and 50%.

With only two options understanding this is quite easy, but if the output options are higher sometimes is hard to understand statistics.

This is quite common in the security space where the interactions between aspects that are, apparently, unrelated are enormous.

Alas a lot of people in the security space is looking for the 5 wheels trucks and does not check the 4 and 6 ones. Sometimes we concentrate just on some aspect of the process because we think are the only relevant objects, and do not analyse the process itself; the result is that we focus on the wrong target or, better, we invest more money on the 5 wheels truck hunting than on the 4 and 6 ones.
The result is that we miscalculate the element that are used to calculate the mTCoS diverting resources to some other things.
The classical example is the email management.
It is quite common to implement an anti-spam solution, but spam is not considered in the whole aspect,is just considered an annoying thing to deal with because managers can complain.
As well some content filter policies are implemented but without a real understanding of the consequences and potential threats or productivity impact.
The result is a set of policy and security services that, from a security perspective, does not actually make any sense, and the money invested basically does not provide the level of service that with the  mTCoS should be provided.

Since probably the mTCoS has not even been calculated (it require the definition of the process we need to secure and the relative minimum level of service) this simply means that security implementation does not address a security concerns but just some random aspects with, probably, a sub-optimal allocation of resources

IT managers don’t allow to exchange executable files through the mail, but at the same time allow to use external webmail without restriction.

Use anti spam gateway systems but do not provide an antimalware gateway system to protect form the few mail that can pass through the solution even if mails are 99.9% html based.

Provide some security effort to protect mail client but the allow users to use their unprotected smartphone or tablet.

So while we’re looking for our 5 wheels security  truck a lot of other vehicles pass under our noses.

Understanding what we have to look for to secure a process is mandatory in order to be able to analyse costs.

The mTCoS is strictly related with the process we want to secure and the minimum level of service we can accept.

To be able to calculate mTCoS we should be able to understand:

how the process works :components, storage, users, structure …
how (if) the process is related to other process
which kind of data are of any interest to secure within the process

The best approach is to minimize the process structure and divide it in smaller elements that can be analysed in an easier way.

The final mTCoS will be the sum of all the mTCoSx provided for every subsystem.

so basically if we have a process P we can divide it different sub-steps p

and the resultant mTCoS will be (more or less)

First we should try to find out what process we want to protect and determine the minimum level of service we can accept, then we should be able to divide it in smaller process to make our task easier and define for each smaller process requirement and interaction.

Once we have created our process model we can finally define which are the risks for each sub process and the whole process that we should consider in order to give the required level of service.

Once we have defined the risks and process we can prioritize them in an arbitrary way considering some aspects: the impact of the risk, the percentage that that event can occur.

The final step of this operation is to watch the market to see products and technologies that address our list of risks in order to secure our process at an acceptable level and define our mTCoS.

Of course we should do a little exercise of imagination when dealing with risks:  how much can we transfer? how much can we mitigate? How much can we recover? …?
Several technologies offers different approach and different costs for the several aspect of risk management.

Just theory?

Believe or not this is an approach that can drive our expenditure in the right direction, that is not spend the less possible, but spend the correct amount of money do address correctly the problems I need in order to provide the level of services requiredrequested.

On the other end we can use the Sony approach :) but remember spending “0″ or “100″ without a correct plan is equally a nonsense.

[contact-form]

To be continued….