When I’m talking about security with customers, partners or at an event the first question I usually receive is:
how much this will cost to me?
This is an understandable question, costs have to be monitored and expenditures have to be planned wisely; how much I can spend on security is a quite interesting topic.
The problem, alas, is that usually IT managers do not use a clear model when planning investment in security but seemed to be attracted more by strange inner believes than an empirical analysis of cost and benefits.
Another point that I’ve always found quite curious is that I’ve been asked lot of times the ROI of a security implementation (ROSI), while the only parameters taken in account are how much I will spend now and how much I would spend the next “X” years.
So I’m wondering if it is really possible to understand how much i is worth to spend for security.
The first points I take in account are postulates:
The first one is quite simple, no matter how much you spend you will never be able to avoid any risk: perfect systems just simply does not exist. You can transfer or mitigate a Risk, but the risk itself does not disappear.
The second point means that is really hard to understand what happen and the impact of a risk. Even if we’re talking about a simple field like information security there is not an enough level of understanding of what really happen.
Dealing with risks and relative costs should involve the impact a risk can have on a business, and the aspect of this impact are, partially, unpredictable because partially depends on external factors,externalities and the unpredictable human behavior.
So does this means I should not care about security?
On the contrary this means that this is a quite difficult exercise, and more study on this would be appreciated.
Let’s start with some considerations:
SO WHY I NEED SECURITY ON MY IT NETWORKS?
The main reason we should secure our networks is because our networks are used to let our company make profits. Without our networks we would not be able to handle data, communications, business process and so on.
Networks are not just a silly benefit or a luxury optional but are an integral part of our business, we live in an interconnected world, like it or not, and networks are the instruments we use to reach our customers, sell or buy things, works and communicate.
Networks are also used for personal fun and most of the time, nowadays, the same tools can be used to work and leisure make vanishing the differentiation between the two.
As IT networks pertain to business, it pertains also to human behavior, so we have to take in account business needs as well as human needs.
If we cannot expect that someone works without losing concentration or productivity, as well we cannot expect to increase productivity if our systems upset their users.
So our IT networks and their components are a foundation for our business and personal relationships. This means they will be used to process data that are valuable, and a disruption of the service provided could result in a loss of money.
What I’m talking about?
I’m talking about the laptop you use for work and play or watch movies, your smartphone, your internet browser, your Skype and your VoIP, your teleconference and video phones, your email, your home internet connection, your mobile internet edge connection, your iPad, your iPhone, your android Samsung Galaxy….
Everything that is under our experience is, somehow, related to IT networks and data processing.
But if IT networks are such a relevant part, and if over the network we pass such a great amount of data we need to do something to protect the reliability of the services provided and the data we exchange through it.
So could make sense to consider some money for IT security, but how much and what this means?
Of course there are several considerations to take in account when we talk about security, a sound network design should implement by itself most of the security related issues: for example all the stuffs related to HA, redundancy, performance and management are common fields for networks designers and IT geek.
A network should be fast, reliable and friendly to manage. But since our networks should be used also by users for business transaction and more, should be understandable, usable and the closest to “user proof” as possible.
(someone once told me that IT networks without users would have been perfect, although, he agreed, quite useless)
The user experience is not secondary, but is one of the most important factor related to security and productivity (yes both).
Another important consideration: network is not for IT gurus or IT geek or Hacker and stuffs, so stop to consider user like morons (ok sometimes they seems to be, I admit it, but usually they give the same feeling also in other life and work field), they’re the reason of our incomes.
The need for security is not so far away form the need of a network itself, security is just one of the aspects and so should be take in account also during network design, and at the end security has a relevant impact on our activities.
What would you think if someone else read your email? Or if someone read your credit card transaction to steal your money? Or if your e-commerce site would be taken down? Or if your customers would be affected by something taken in your site? Or if your employees data would be stolen? Or if your network would shut down for some reason?…
Those kind of questions are deeply related to security issues: this is security.
So it is quite simple to understand why we need security, the problem is how much make sense to spend? What I need to implement?
The answers usually are: the less is the better, well I will never allow this in my network, and do I really need it?
Wait is this an answer for something that seems to be so important? The problem is that network owners and managers are usually not involved in business procedures as well as in human behavior analysis.
Is just recently that security start to consider the human effect on decision and risks (not only in IT I have to say).
But if the network owner is not involved in business process, at the same time the business owners are not involved in network design, so to allow them understand each other we need to use a common media: money. Everything have to be converted in how much I spend and the ROI related.
Let’s say I do not like the ROI, is something really difficult to calculate, and what is worse, usually the most important parameters are not even taken into account. But anyway a good IT manager should be able to translate needs into money to allow the other managers to understand what he is talking about.
To convert IT security into money is an extraordinary difficult effort, because (remember postulate 2) I never met anyone who is able to estimate correctly the profit and loss of an IT department.
Let’s take some real examples to understand what I’m talking about.
SONY SECURITY APPROACH
May be someone remember some years ago the Sony Play Station Network Hack
Managers responsible of the Sony Hack, did not spend anything on security to secure their networks. The reason has been, obviously, that they estimated the risk exposure and the damage of a hack quite insignificant. Alas they made a mistake and this costed them a lot of money in terms of loss of profit for the days the network has been closed (direct loss), costs of recovery, cost of image (that at the moment I’m not able to predict but considering the coverage this hack have had I should say will cost a lot), legal cost for customers that will sue Sony….
So the network managers have not been able to explain the need of securing the networks, and I suppose this has been related partly to the fact they didn’t have a clear vision of the business model they were implementing (as well as the other managers I should say).
Do they analyze the impact of this hack when they were designing the PSN network? Do they make a risk assessment considering the loss (direct and not direct) related to such stop? I don’t think so otherwise they would have bought at least a firewall and implemented patch management strategy .
I can hear their thoughts before the hack: “But, come one is just a game platform, and we need to make profit and cut costs, so why we should care about security,just marketing. we do not need it what could happen? some kid playing for free? does not worth the cost.”
As well as their thoughts after the hack: “how the hell this could be happening? nobody told us anything, someone (else) will have to pay for this. … We did all possible we could not imagine something like that (sic)…. Hack? what’s hack? …”
- Was so hard to suppose that someone could have broken into the network? (a global one. and well-known)
- Do they really didn’t realize that they were processing sensible data?
- Do they really thoughts that recover form a hack would have been quick, easy and without consequences (or minimal ones)?
- …
THE OTHERS DOES NOT FEEL BETTER:
Lockheed Martin, Honda, Toyota, Epsilon, Vodafone, Word press, Google, The Gawker media…do you have to name more hacked reality or this is enough to make you feel I’m talking about something real?
Don’t considering correctly security could be damn expensive, those days events are full of those example.
So is there a way to make a guideline to understand the first brick of our security wall? How much would I lose if I don’t put security in place? and what I need to discuss correctly a problem? And what are the risks I can be exposed to?
RISK AND SECURITY: HOW MUCH TO SPEND? (INTRO AND MORE :))
Basically the problem for an IT manager is to understand how much money he can ask to company management for security.
Well the aspects to take in account are several, the idea is to put an insurance on business process to allow continuity and minimize money loss. Apparently this is an easy task, but it is an exercise that usually IT managers don’t do.
Again we can take as an example the Sony affair, the PSN networks was used to generate revenue, and the hack stopped those revenues.
We should try to ask to ourselves: how much would this kind of security incident cost?
We have different elements that could be taken in account:
- What is the value of the process I’m trying to protect?
- How can I estimate is the direct loss related to the security incident?
- Are there indirect loss related to the incident (image loss, customer disaffection, credibility loss…)?
- …
Once we have outlined all the questions we should be able to define somehow the king of security outbreak we’re trying to address and the relative process to secure it.
WHAT IS THE VALUE OF THE PROCESS I’M TRYING TO PROTECT?
It is not so easy to define the value of a process, we know that if we are selling a good we earn something, so we could assume that the value of this process (selling a good) is just what I get in terms of money – the money I spent to make the sell.
Alas in a world where data, trust and communication are valuable this is not enough. How much the PSN Sony network was valuable to Sony? Just only related to the money they directly collected? Oor there were some externalities that should have been taken in account?
As a good exercise we could try to understand the value of something just trying to consider what happen when I got a problem.
So I have the PSN network up and running, after the hack I have had to face the direct costs, the money I did not received during the stop. But then I have had to face cost related to the hungry customers so I offered something to them to make them calm down…
Wait … I have to make customer happy again?
This means that the value of a service is not only related to the direct revenues, but also, just as an example, to the valuable image that this service is providing to the company.
There are factors that rise the value of a process that can be indirectly related to the process itself but can have a strong impact in case of failure or security incident. Customer satisfaction, trust, image are just a few.
How much worth a process is outside the scope of this article, but I wanted jut to make you realize that things are not so easy at it could seem. At the end some values are just determined by a good dose of guessing .
Although we could not be able to find what is the real value, we can make some assumption and create a target value indicator that we can use for further analysis.
HOW MUCH CAN I AFFORD TO LOSE?
Once we’re able to decide somehow the value of something we should try to evaluate how much we can afford to lose of that value.
So, for instance, assuming that a service give me a net value of 100day once I’ve taken out all the related direct and indirect costs, how much I can lose without forcing me to close?
Let’s say I have to stop the service for some reason, will this be acceptable? And if it is acceptable how much this service can be down without affecting my activity?
So if I have 100day I can think in a month to have 100 * 20 working days = 2000 net income
A day off will cost me 100 (I’m over simplifying, I know) .
If I stop for 5 days a month means that I would lose 500 so my net income would be 1500: can I afford this?
There is not such a standard answer, it could be yes I can or it could be no I can’t.
If I can afford the loss basically it makes no sense to address the 5 days “Stop” problem, and maybe I can concentrate on the >5 days stop problem.
What we have here is a way to measure how much money can be related to a certain problem. It does not make really any sense to understand, at this level, what can cause the problem, we’re just trying to understand the effect of the problem no matter what is the cause.
Just to translate this in terms of Systems engineering this means: would it make any difference if the service stop is due to a broken disk, a server HW failure, a software failure, a network failure or a Dos attack?
Quite not really the result would be systems down.
The best baseline I can create the best consideration I’ll be able to do, and some empirical experience is usually a good indicator, that means managers lot of time understand the value of security AFTER they have been punched (PSN affair teach).
We know now that we have a process that is valuable, and we know that if we have a problem it will cost us a certain amount of money “X”, and we know that we can afford to lose “nX” money for “n” incidents.
The next step is to be able to understand (or guess) what is the risk that the event X happen to me.
we have, basically, 3 possibility
- 0 chances that the incident comes so no blocks at all
- 100% chances that the incident happen and block me 100% of my time
- something in between
The first possibility is simply not to be taken into account. Murphy’s law teach us that if something can go wrong it will, and this is basically truth for any engineering process. There is nothing that can be perfect and invulnerable, even Superman has his low moments. This means we cannot be sure that we will never see a problems, but does not means you will see it .
The second bullet refers to a condition where you are 100% sure that the process will not work, this case is worthless to spend time dealing with this, if I’m sure it will not work I don’t need anything else.
So we’re somewhere in between, the only thing we know is that we’re vulnerable .
Recap the steps done till now: we know our process is valuable, and we know that we can convert this value in money terms so that the rest of the managers can understand it.
We also know how much will cost us a “general” security incident in terms of missed revenues and how much we would be allowed to lose without affecting the business.
What we need now is to understand how many chances I have to be affected by an incident.
We know that this is an exercise of black magic, the best way is to call the dark forces of evil and ask them what are their plan for the next period. Alas since they’re forces of evil it is hard to have a good honest answer, and so I think we should take some other ways to try to do this.
The best way usually is using statistics, baselines, and expertise.
We usually know that a disk chance to break is generally low, mostly because by design we use redundant raid systems, as well for software and HW server failures we usually have this kind of prevision. But for a denial of service? Do we actually risk? How much?
The answer is, again, not so easy, we should take into account the process you’re trying to protect, the things that could be valuable for any external source, the risk trends, the visibility of the company and so on.
While the risk of being hacked was considered very low in Sony they did not realize that there were at least 3 factors that would have been taken into account:
1) the hack was a way to reach something valuable : user information, email, and credit cards.
The way someone value a data can differ from it’s owner, email are not considered so valuable if you’re not a marketer, but if you’re a spammer they worth the hack.
2) the Sony name was a big name and this would have turn all media and expert eyes on the hack itself, this would have magnified the damage in terms of image, as well redirecting other hackers to the target that showed such a big vulnerability.
3) Sony was dealing with some hacking problem related to the PS2 hacking code, and was exposed for its strict comment on internet piracy. This would have expose the brand also to acktivism and not only cyber crime.
Just considering those 3 factors would be clear that a hack would have been possible and probable.
This is something we should think more, we need to protect our asset because they’re valuable for us, but this does not means that someone outside would not find something else valuable even if we do not consider it worthy.
Sony has been hacked because hacker found something valuable that Sony managers were not valuing, this increased the risk of a security incident as well as the repetition of it.
RISK AND SECURITY: HOW MUCH TO SPEND? (INTRO CONTINUE AGAIN)
Assuming we are so smart to understand the % of risk an incident can happen we have enough element to start to understand how much worth security and so how much we should spend on it.
Image via Wikipedia
LET’S DO SOME MATH
If we did our homework and follow the simple steps provided before we have now some elements to make some guessing,
- A – We know more or less how much worth our process
- B – We know more or less how much would cost us a single incident
- C – We know how much we could lose if the incident hit us.
- D – We know that there is some % risks that the incident will hit me.
Alas those are not static value but functions that changes during time and are strongly related to what happen at the border, the equation able to describe the relationship between all of this elements and the external worlds are out of the scope of those articles (come on this is an introduction )
So basically we are now in the process of building our insurance based on something we will negotiate internally to our team and with the management.
The idea is that I want to spend some money in order to address the incident, and I want to get a couple of things:
- Lower the % of risk the incident will hit me
- Lower the cost of the single incident
It is clear to me that we have a couple of considerations to take in account.
The security expenses cannot be higher or equal than the value we can lose. It’s worthless to protect an asset spending a bigger value than the value of the asset itself.
This means that the Total Cost of Security (TCoS) cannot be higher of C (I know it does not exist but I love to create those sort of things sound so professional )
TCoS << C
At the same times we know that TCoS is related to the value D and the kind of security incident (Can I call it SI? ) basically TCoS can be represented by a function of some variables:
TCoS=F(C, t, SI)
where t is the time.
Basically TCoS is the highest amount of money I can afford to pay to protect my process. but we know that this is a target value and the management will never allow to spend this, so we will have just a fraction of this value, let’s call it the Available Total Cost of Security (ATCoS).
We will have that ATCoS << TCoS so basically the amount of money we will be able to allocate for security is just a small fraction of what we should spend.
Why ATCoS is sensibly lower than TCoS? The basic reasons are related to the:
- great dose of guessing that we use to determine A, B, C and D functions.
- negotiation with the management in order to allocate resources
- a usually very low understanding of the implication of security in business
- some strong cultural barrier to understand the impacts of new technologies
- bad ability to present the value of a solution in understandable terms for the management
- mix of allocated security resources in different departments and
- …
Of course I strongly doubt that there is any IT man who create it’s own Total Cost of Security function so we usually use some empirical experience to guide us and some easy rules:
- 1) the less is the better
- 2) the less is the better
- 3) they will never give me what I need
- 4) they do not understand
- …
- X) have I told the less is the better?
Some tricks can be used when trying to define a security budget, first task is to find a sponsor, and marketing usually is a good resource. We should be able to point out the risks related to the image and the bad influence that some security risks can have.
Think again at Sony affair, but also to Honda and the other big firms that have been targeted the same period.
The second trick is to be aligned on what is happening in the security space in the world.
You do not have to be a guru, just you need to find good and impressive events that can be used in a discussion to enforce your point. Those days are full of events, just use Google news or similar service to have in your mail an updated recap. Would be useful for us to be able to explain our needs (the company needs actually) by examples.
If Sony PSN Networks Managers would have been instructed that identity thefts are so common today and can be so destructive in terms of image probably would have adopted a completely different approach to security.
The two parameters TCoS and ATCoS are also a function of times and communication effort spent, if there are a lot of security warnings, previous incidents experience those two parameters changes
Again if we think about the Sony PSN affair we have had pre-incident a TCoS that was close to 0 and consequently the ATCoS was basically 0.
What drive the TCoS close to 0 was the misunderstanding of the % of risks of an incident to occur “D”, the cost of the incident itself “B”.
If we look at what happened it seems clear that the risk of the incident was underestimated just because managers were not taking into account the damage would have result form the hacking (remember, it’s not just the direct costs…) and were not taking in account that there was something valuable for others (personal data) that could have been reached. Likewise they did not took in account the consequences in terms of emulation and acktivism.
Once again we have to remember that security is something that require cross-functional experience to be correctly evaluated.
at the end to have an idea of the value of ATCoS we should make some assumption, take some agreement and do some negotiation. But is this enough?
Sony affair teach us that there is another term of the equation that should be taken into account the minimum cost of security I’m allowed to put in place.
This measure is the minimum expense I have to budget in order to provide a minimum lifesaver level of security.
If we call mTCoS the Minimum Total Cost of Security we should assume that
0<<mTC0S<<ATCOS<TCoS << C
Where mTCoS take into account:
- How much I can loose in case of incident
- legalcontract requirements
- the technical aspects ofthe implementation of the solution:
- direct costs of implementation (project, devices, training)
- staff
- management support
- …
- business impact of the implementation
- …
mTCoS is a key factor when negotiating with the management, this is the lowest level you can go in terms of resources, if you do not even reach this level you will not able to provide the level of service that can avoid the function we defined at point C (how much we can afford to lose in case of incident)
If mTCoS is close to TCoS this means we have no margin for negotiation (and this is really bad, believe me) or we made the wrong assumptions.
Although this condition seem to be far from be real, there are areas where security expenditure are usually calculated with a mTCoS close to TCoS. the typical example is the Storage area, where security (well part of it) is usually integrated in the solution, so nobody consider a Raid implementation an extra security level.
When we have this kind of situation, a sort of undisputed “must to have”, the negotiation is really easier. There are some other areas where this security approach can be taken, think, as an example, about the desktoplaptop implementation of an antivirus client.
How rational is this kind of approach? Well usually this is an approach consolidated and taken for correct without any critical analysis. The risk here is to avoid to take in consideration solution that can provide a better coverage of the security needs, there is nothing like an everlasting security tool, security needs change every day.
So we need to be able to estimate the mTCoS in order to negotiate our security budget.
To do so we need some tools and instruments, that should be generally used also for our routine management and IT budget calculation.
I don’t spend a word now about legal constraints but I would like to make some considerations upon the technical aspect.
If we know that we need a minimum level of security we should be able to measure it, make confronts versus a data baseline that can help us to understand if we are doing the right thing or not, make some measurement on the changing threat landscape and some forecast.
All this require some statistical knowledge, at least at high and light level, to forecast what we need and we’ll need.
Here comes an area where people makes a lot of mistakes and I would like to spend a few words about it.
THE TRUCKS AND THE WHEELS
Let’s assume there is a statistics that say the average wheels for a truck is 5, what do you understand?
If you expect to find a 5 wheels truck on the road you should have a problem!
If the average wheels are 5 means you have some trucks with 4 and some with 6 let’s say 50% and 50%.
With only two option understanding a statistic is quite easy, but if the output options are higher sometimes is hard to understand the results. This is quite common in the security space where the interactions between aspect that are, apparently, unrelated are enormous.
Alas a lot of people in the security space is looking for the 5 wheels trucks and does not check the 4 and 6 ones.
Sometimes we concentrate just on some aspects of the process because we think are the only relevant objects, and do not analyze the process itself; the result is that we focus on the wrong target or, better, we invest more money on the 5 wheels truck hunting than the 4 and 6 ones.
The result is that we miscalculated the element that are used to calculate the mTCoS diverting resources to some other things.
The classical example is the email management.
It is quite common to carry out an anti-spam solution, but spam is not considered in the whole aspect,is just considered an annoying thing to deal with because managers can complain.
As well some content filter policies are implemented but without a real understanding of the consequences and potential threats or productivity impact.
The result is a set of policy and security services that, form a security perspective, does not actually make any sense, and the money invested basically does not provide the level of service that with the mTCoS should be provided.
Since probably the mTCoS has not even been calculated (it require the definition of the process we need to secure and the relative minimum level of service) this simply means that security implementation does not address a security concerns but just some random aspects with, probably, a sub-optimal allocation of resources
Just as an example it is a consolidated IT managers policy to do not allow to exchange executable through the mail, but at the same time it is usually allowed to use external webmail without restriction, this make the previous policy of doubtful utility unless implementing a concurrent antimalware technology with https inspection on web flows.
RISK AND SECURITY: HOW MUCH TO SPEND? (…AND AGAIN AGAIN:))
So while we’re looking for our 5 wheels security truck a lot of other vehicles pass under our noses
Understanding what we have to look for in securing a process is mandatory in order to be able to analyze costs. The mTCoS is strictly related with the process we want to secure and the minimum level of service we can accept.
To be able to calculate mTCoS we should be able to understand:
- how the process works :components, storage, users, structure …
- how (if) the process is related to other processes
- which kind of data are elaborated and if they are of any interest to be secured within the process
The best approach is to minimize the process structure and divide it in smaller elements that can be analyzed in an easier way.
The final mTCoS will be the sum of all the mTCoSx provided for every subsystem.
so basically if we have a process P we can divide it different substeps p
and the resultant mTCoS will be (more or less)
So first we should try to find out what process we want to protect and determine the minimum level of service we can accept, then we should be able to divide it in smaller chunks of sub-processes to make our task easier and define for each smaller process requirements and interactions.
Once we have created our process model we can finally define which are the risks for each sub process and the whole process that we should consider in order to give the required level of service.
Once we have defined the risks and process we can rank them in an arbitrary way considering some aspects: the impact of the risk, the percentage that that event can occur…
The final step of this operation is to watch the market to see products and technologies that address our list of risks in order to secure our process at an acceptable level and define our mTCoS.
Of course we should do a little exercise of imagination when dealing with risks: how much can we transfer? how much can we mitigate? How much can we recover? …?
Several technologies offers different approach and different costs for the several aspect of risk management.
Just theory?
Believe or not this is an approach that can drive our expenditure in the right direction, that is not spend the less possible, but spend the correct amount of money do address correctly the problems I need in order to provide the level of services requested.
On the other end we can use the Sony approach 🙂 but remember spending “0″ or “100″ without a correct plan is equally a nonsense.
“Yo quería hacer un héroe un autentico, lo revestí de características más humanas, le gustan las mujeres —porque con Supermán y Batman había la duda—, ofrecí el personaje a muchos actores y todos los rechazaron, pero cuando tuve la oportunidad de actuar, entonces pude hacer El Chapulín Colorado que me abrió las puertas de toda América”,
Yo pude conocer el genio de este hombre gracias a mi esposa que creciò en México, aquí en Europa hay muchos que no saben quien es ese grande actor, y no creo que van a transmitir algo en televisión, tengo todavía un dvd de el Chapulín Colorado, que voy a ver pronto para recordar un genial actor y enseñarlo a mi hija.
