Professional Documents
Culture Documents
Information Security Is Information Risk Management
Information Security Is Information Risk Management
Bob Blakley
Tivoli Systems, Inc.
blakley @us, ibm.com
Ellen McDermott
J.P. MorganChase
Dan Geer
@Stake
ABSTRACT
Information security is important in proportion to an
organization's dependence on information technology. When
an organization's information is exposed to risk, the use of
information security technology is obviously appropriate.
Current information security technology, however, deals with
only a small fraction of the problem of information risk. In
fact, the evidence increasingly suggests that information
security technology does not reduce information risk very
effectively.This paper argues that we must reconsider our
approach to information security from the ground up if we are
to deal effectively with the problem of information risk, and
proposes a new model inspired by the history of medicine.
1. I N F O R M A T I O N RISK
ALEffi
1.1 W h a t is Risk?
In business terms, a risk is the possibility of an event which
would reduce the value of the business were it to occur. Such
an event is called an "adverse event."
2. M A N A G I N G RISK
Businesses routinely manage risk as part o f their day-to-day
operations.
Risks can be managed using a variety of
mechanisms, including liability transfer, indemnification,
mitigation, and retention.
Every risk has a cost, and that cost can be (more or less
precisely) quantified. The cost of a particular risk during a
particular period of time is the probability of an adverse event
occurring during the time period multiplied by the downside
consequence of the adverse event. The probability of an event
occurring is a number between zero and one, with zero
representing an event which will definitely not occur and one
representing an event which definitely will occur.
The
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is grmted without fee provided that copies are
not made or dislributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise,
or republish, to post on servers or to redisl3"ibuteto lists, requires prior
specific permission and/or a fee.
NSPW'OI, September 10-13m,2002, Cioudcroll, New Mexico, USA.
Copyright 2002 ACM 1-58113457-6/01/0009...$5.00.
97
2.2 I n d e m n i f i c a t i o n
3. I N F O R M A T I O N SECURITY
Up to this point we have used examples unlrelated to
information risk to illustrate risk management. Failures o f
information security are clearly adverse events which cause
losses to business; therefore, i n f o r m a t i o n security is a r i s k
m a n a g e m e n t discipline, whose j o b is to manage the cost o f
information risk to the business.
3.1 W h a t is I n f o r m a t i o n Security?
Where information risk is well enough understood and at least
in broad terms stable, information security starts with policies.
These policies describe "'who should be allowed to do what" t o
sensitive i n f o r m a t i o n .
Once an information security policy has been defined, the n e x t
task is to enforce the policy. To do this, the business d e p l o y s
a m i x o f processes and technical mechanisms. These processes
and m e c h a n i s m s fall into four categories:
Detection measures
events o c c u r .
2.3 M i t i g a t i o n
business
when
adverse
2.4 Retention
If an adverse event is not very costly or not very likely to
occur, or if the benefits to be realized from taking a risk are
great, a business m a y choose to retain the risk which t h e
adverse event creates.
alert the
3.2.1
Focus
98
against physical
cameras, etc...)
mechanisms
(such
as locks,
4. QUANTIFICATION OF I N F O R M A T I O N
SECURITY RISK
Risk analysis has been recognized as an important information
security discipline for a long time. Information security risk
analysis methodologies were developed long ago, and some of
these methodologies
have been included in formal
information security standards. The large majority of these
standards have been qualitative - t h a t is, their assessment of
probability and consequence of risks is based on a
"low/medium/high" characterization rather than on a specific
probability and a specific dollar amount of loss. Qualitative
information security risk management standards include the
US Federal standards [FIPS31] and [FIPS191].
Recent
guidelines which recommend qualitative risk analysis
techniques include [GAO] and the newly issued draft
t~STRMO].
Quantitative information security risk management standards
have been developed, including the now withdrawn [FIPS65].
The authors are not aware of any current information security
standard which mandates the use of a quantitative risk
analysis method, though the Australian national standard for
risk analysis [AS] permits the use of either qualitative or
quantitative analysis. Methodologies for quantitative and
mixed quentitative/qualitative
information security risk
analysis have been published; see for example [Pelt].
Quantitative risk analysis is used extensively in disciplines
other then information security, including finance, healthcare,
and safety (see [KBPS] for a number of examples). There is a
large body of literature on methods for quantitative risk
analysis in these fields; sources include [Koll] and [Vosc].
walls,
mmilm,
r~-
vh~4
im
ram-
Iqv6
mTImm,
lmmIdmm
Emma,
wmlm
m
mmm4*
lammL
dm~m,
mlnm
mwf~
all,
by
mmow..
3.2.2
Effectiveness
99
4.2 I n c i d e n t s
I n f o r m a t i o n needs to be gathered about security i n c i d e n t s
experienced by businesses worldwide. This information m u s t
include w h a t vulnerabilities were e x p l o i t e d and how r e s p o n s e
and recovery were handled. Incidents that are traceable t o
v u l n e r a b i l i t i e s already k n o w n are one thing and will be a
matter o f d i s c u s s i o n between insurers and v i c t i m s i f in n o
other situation. Incidents that h i g h l i g h t p r e v i o u s l y u n k n o w n
v u l n e r a b i l i t i e s m u s t b e fed back to that catalog.
This
information needs to be collected and m a d e available in a w a y
which does not create a d d i t i o n a l liabilities for the r e p o r t i n g
organizations (and hence incentives to a v o i d reporting).
4.3 L o s s e s
F o r each incident identified, information needs to be c o l l e c t e d
about direct m o n e t a r y losses caused by the incident and a b o u t
indirect losses (for example, r e p u t a t i o n damage or
lost
business) with an estimate o f the m o n e t a r y losses r e s u l t i n g
from these indirect losses. The c a l c u l a t i o n o f losses needs t o
be done using a uniform m e t h o d o l o g y , and the i n f o r m a t i o n
needs to b e collected and m a d e a v a i l a b l e in a way which d o e s
not
create
additional
liabilities
for
the
reporting
organizations.
The National Underwriter C o m p a n y [ECov], r e c o g n i z i n g t h e
lack o f this k i n d o f actuarial i n f o r m a t i o n about i n f o r m a t i o n security-related losses, has solicited the aid o f the t e c h n o l o g y
staff o f the insurance i n d u s l r y i t s e l f in fixing the p r o b l e m :
"Even t h o u g h insurance IT staffers can revert to the s a m e
techie talk that t e c h n o l o g y clients use, they are often r e q u i r e d
to e x p l a i n t e c h n o l o g i c a l a d v a n c e m e n t s and enhancements to
upper m a n a g e m e n t o f the insurance company, especially w h e n
discussing IT expenditures. I f t h e y can do that, w h y c a n ' t t h e y
be used to help underwriters d e v e l o p assessment and
u n d e r w r i t i n g tools and train c l a i m s p r o f e s s i o n a l s in t h e
intricacies o f IT losses."
W e ask a similar question:
i f the IT security industry can
design countermeasures and counsel clients on h o w to d e f e n d
their systems, w h y c a n ' t we help underwriters d e v e l o p
assessment
and u n d e r w r i t i n g
tools
and Urain c l a i m s
p r o f e s s i o n a l s in the intricacies o f IT losses?
Do we h a v e
something m o r e i m p o r t a n t to do7
4.4 C o u n t e r m e a s u r e
Effectiveness
4.1 V u l n e r a b i l i t i e s
A c o m p r e h e n s i v e list o f i n f o r m a t i o n security v u l n e r a b i l i t i e s
needs to be developed. F o r each v u l n e r a b i l i t y , i n f o r m a t i o n
needs to be gathered and regularly u p d a t e d about the ease a n d
f i c q u c n c y o f exploitation, and ease and speed o f recovery f r o m
exploitation. This i n f o r m a t i o n must be collected and m a d e
available in a w a y that d e m o n s t r a b l y
minimizes the
p r o b a b i l i t y o f exploitation in an eccmomically harmful w a y
S.
i00
Mandatory professional
practitioners
education
Systematic observational
effectiveness o f treatments
studies
and
of
liccnsure
safety
of
and
This situation looks to the authors very much like the state of
medical practice in the 19th century (for a good general
treatment of the development of scientific medicine, see [Por],
which includes an extensive bibliography).
Medical
practitioners had a poor understanding of the prevalence, , and
likely outcomes of illness causes (the 1899 first edition of the
Merck Manual [Merl] contains no information about causes,
symptoms, or mortality rates of the conditions it describes; it
consists entirely of lists of preparations which could be
administered for each condition, with no advice on how to
choose among the many options), and the safety and
effectiveness of treatments (The 1900 edition of the Old
Farmer's Almanac includes an advertisement for Wistar's
Balsam of Wild Cherry, which claims that "It is the most
reliable preparation in the world for the cure of Coughs,
Influenza, Bronchitis, Whooping Cough, and all Throat and
Lung Troubles, and in many well attested cases, Consumption
[i.e. Tuberculosis] has yielded to its wonderful influence"
[OFA]). The public feared medical treatment (for good reasons,
despite frequent outbreaks of serious diseases), and widely
considered medicine to be ineffective. And of course, the
human organism was too complex to really understand.
on.
101
whose
Professional training in m a n a g e m e n t o f i n f o r m a t i o n s e c u r i t y
risk should present a b r o a d and in'tegrated view t r e a t m e n t s
(including, for example, risk transfer and i n d e m n i f i c a t i o n ) ,
rather than the o n e - d i m e n s i o n a l , v u i n e r a b i l i t y - r n i t i g a t i o n
focus c o m m o n today. A t the s i m p l e s t level, this means t h a t
information security risk e d u c a t i o n should include f i n a n c i a l
and legal d i s c i p l i n e s in a d d i t i o n to the technical d i s c i p l i n e s
taught today. Some risk-managemerLt experts have begun to
describe h o w risk m a n a g e m e n t acti,vities can be i n t e g r a t e d
across the entire spectrum o f business
risks [Shim];
information security education should be built on this kind o f
c o m p r e h e n s i v e framework.
Obviously,
the
advanced
research which
drives t h e
d e v e l o p m e n t o f new ~eatrnents and deeper u n d e r s t a n d i n g o f
the causes o f risks will continue to be carried out in t h e
a c a d e m i c and business c o m m u n i t i e s , j u s t as advanced m e d i c a l
research into new drugs and the causes o f disease is carried o u t
by academic m e d i c a l schools and p h a r m a c e u t i c a l research l a b s
today.
treatments
8.
EVALUATI~.D?
Today, information security t e c h n o l o g i e s are subjected t o
design and i m p l e m e n t a t i o n a n a l y s e s defined b y a number o f
assurance regimes (most n o t a b l y the C o m m o n Criteria [CC]).
B u s i n e s s e s can also s u b m i t v o l u n t a r i l y to "seal" p r o g r a m s ,
whose certifications are based on d e p l o y m e n t o f p o p u l a r
technologies,
and
on conl3"act, process
and
system
c o n f i g u r a t i o n audits. B u s i n e s s e s can contract for p e n e t r a t i o n
testing, but the authors are not aware o f any c e r t i f i c a t i o n
regime which requires p e n e t r a t i o n testing, or any o t h e r
e x p l i c i t measure o f the effectiveness o f security p r o t e c t i o n
measures, as a condition o f granting certification.
6.1 Reporting
Today, almost all i n f o r m a t i o n sec~c~-ity risk assessments u s e
qualitative rather than quantitative methods. Some r i s k
analysis m e t h o d o l o g i e s and standards already i n c o r p o r a t e
r u d i m e n t a r y l o s s - e x p e c t a t i o n e s t i m a t i o n methods, but t h e s e
are u s u a l l y limited to a " l o w / m e d i u m / h i g h " c a t e g o r i z a t i o n
with arbitrary dollar ranges assigned to the categories. S o m e
industries already quantify intellectual property risk i n
financial terms and take steps to m;mage risk using f i n a n c i a l
instruments.
Risk a s s e s s m e n t findings are e s s e n t i a l l y never shared w i t h
anyone except the business being assessed, and p o s s i b l y i t s
external auditors.
N o s y s t e m a t i c effectiveness t e s t i n g o f information s e c u r i t y
measures is done by any i n d e p e n d e n t body, and the results o f
effectiveness testing done b y vendors and their contractors are
a l m o s t never p u b l i s h e d .
I n f o r m a t i o n risk m a n a g e m e n t
professionals have no training in the design o f experiments t o
test effectiveness o f the m e a s u r e s t h e y design, and no t r a i n i n g
in p u b l i s h i n g or r e v i e w i n g the results o f such experiments.
7.
RISK
measures,
!02
One argument against this point of view might be that the real
cost of the loss of a life to the organization which causes the
loss is not very great in some cases. Estimates of the total cost
of the Union Carbide Bhopal plant to the Union Carbide
corporation vary, but the direct cost o f the legal settlement
($US 470 million) represents only about SUS 12,400 for each
of the roughly 3800 people killed by the accident, and this
does not include consideration of the more than 2700 people
permanently disabled. Twelve thousand dollars for a human
life is an uncomfortably low figure. Does this mean that
quantifying this risk is ethically irresponsible? The authors
think not - the fact that a life costs a major corporation o n l y
$12,000 looks to us like a call for reform of the liability
system.
9. A WORD ABOUT ~
ETHICS OF RISK
QUANTIFICATION
A review of an earlier draft of this paper questioned whether
quantification o f certain types of risks (particularly risks to
human life and safety) in fmancial terms is ethically
acceptable.
The first point to be made in this context is that systems which
pose known or suspected risks to human life or safety should
be treated using techniques for managing risk in safety-critical
systems, even if they also require information security risk
treatment (see for example [Leve] or [Stor] for full treatments
of risk in safety-critical systems). The authors do not claim
that information security risk management techniques do, or
should, protect against safety risks.
10. A C K N O W L E D G E M E N T S
The authors are grateful to the anonymous reviewers, and
specifically to the reviewer who called the issue of the ethics
of quantification of losses to our attention.
The first author would like to acknowledge the support of the
Open Group in providing an ongoing forum for his
investigations into the topic of security and Risk
Management.
103
11. R E F E R E N C E S
[AS] Standards Australia, "AS/NZS 4360:1999 Risk
Management", 1999.
[CSI] Computer Security Institute ~md US FBI, "Computer
Security Issues & Trends", C SI, 2000.
[AFM] Arbaugh, W., Fithen, W., and McHugh, J.,
"Windows of Vulnerability, .a Case Study Analysis",
IEEE Computer, IEEE, Dece]mber, 2000.
[Basel] Bank for International Settlements, "The New Basel
Capital Accord", Basel: Bank for International
Settlements, 2001.
[Bcom] Comments on New !Basel Capital Accord,
http://www.bis.org/bcbs/cacomments.hUn
[CERT]
CERT,
CERT
Annual
Reports,
http ://www.cert.org/annual_rpts/index.html
[ECov] TechRisk.Law, "e-Cove-age", Cincinnati, OH:
National Underwriter Company, 2000.
[ERisk] Lang, S., Davis, J., Jaye, D., Erwin, D.,
Mullamey, J., Clarke, L., and Loesch, M., "e-risk:
Liabilities in a Wired ~'orld", Cincinnati, OH:
National Underwriter Compemy, 2000.
[FIPS3 I] US Depa~h,.ent of Con~nerce/National Bureau of
Standards, "Guidelines For
Automatic Data
Processing Physical Security and Risk Management",
1974.
[FIPS 191] US Department of Cmnmerce/National Institute
of Standards and Technology, "'Guideline for the
Analysis of Local Area Network Security", 1994.
[GAO] US General Accounting Office, "Information
Security Risk Assessment: Practices of Leading
Organizations", 1999.
[Har] Harrington, S., and Niehau~, G., "Risk Management
and Insurance", Boston, Irwin/McGraw Hill, 1999.
104