Modeling Risk

David Ting
Feb 03, 2012

Modeling Risk

Risk management seems to be the conversation du jour. I was just a the Lenel Paradigm Conference in Rochester with some of their leading security consultants and the topic that constantly came up was Risk and how security practioners needed to understand the business drivers around mitigating risk. With access and authentication management-centric security breaches like LendingTree and Societe Generale making headlines and compliance requirements mandating greater information security, how does one even begin to understand what a company needs to do? New threats, internal and external, pop up every day. Security is a blend of technolog, procedures and process that attempt to govern how users access and use information resources. How do we gauge the effectiveness of technologies in place and calibrate them against their cost effectiveness in reducing improper access and use by employees, contractors, ex-employees and visitors?. Defense-in-depth is the right approach to strengthening overall security today, but simply deploying intrusion prevention or strong authentication or encryption as another part of the security equation is not enough. So far in IT security we've gotten away with arm waving to promote the need for improving security and relying on our instincts that certain mitigation technologies will be effective for thwarting breaches. The time has come for us to think more as systems engineers and get a clear view of an organization's security posture by modeling the potential risk of a breach and understanding the cost of such a breach. After all if the goal is to reduce risk, how do you know how much would be appropriate to spend on reducing that risk?

Modeling risk from outside in and across multiple security layers, requires one to quantify the probability that something can slip through a layer (each layer you introduce to the system, is another opportunity for leakage and porosity) in the same way one would create a cascaded set of filters each designed to block specific types of intruder. For those of us that endured those signal processing systems classes years ago this is just a classic linear system designed to pass certain signals (allowing authorized users to get through) while attenuating or reducing the noise (incorrect or undesirable users) that can be mingled with the signal. In this model one needs to gauge the risk associated with the potential for someone to incorrectly gain access to critical information through each layer. Modeling how physical, network and application security collectively combine as a system to reduce risk allows one to understand how technology, procedural changes or temporal effects interact with each other to holistically impact the cost-effectiveness of the solution. IP security often isn't systematically measured, so you can't clearly quantify risk right now. Therefore you need to determine how to figure out how to model risk in order to understand how to reduce risk associated with compromised system. [more to come on this on an upcoming post.]

Specifically identifying a cost/benefit ratio of security investments vs. the damage an incident could bring forth may never be crystal clear. However, with a model, it becomes possible to ascertain where threats are most likely to penetrate specific layers and will be useful in pinpointing where improvements are needed to mitigate and/or to respond quickly should something indeed happen. In addition, it'll give you the clarity to communicate what you need to those with the critical business case sign-off on your next security investment.

So, have you assessed your risk potential? What does your model say is the biggest threat today? I'd love to hear what others have found , and approaches on how you are modeling risk at your companies.

-David