Risk Decision Making: A Qualitative and Quantitative Approach
There are a number of methods to evaluate risks and threats to infrastructure and enterprise systems. Sometimes the simplest method is viewing it as a basic risk vs. countermeasure approach with a system to derive ROI. I devised a model to help in this regard -- the Risk Decision Vector Model.
Risk Decision Vector Model
This model is a hybrid of the infrastructure risk assessment methodology. It has been expanded and curtailed to fit into an information technology scenario with a focus on operating systems. The RDVM is a practical, quantitative approach to making security related evaluations and decisions based on static criteria. The criteria attempts to aid management and security minded individuals to make balanced decisions given a set of findings.
Each aspect of the model dictates something that must be accomplished before the next step can be assumed. It is a serial and step-in approach that is purely quantitative in nature but does have some aspects of qualitative associations embedded in the process (e.g. arbitrary rankings of perceived threats is an educated evaluation rather than a structured metric).
This provides a level of flexibility when making decisions that are considered to be more realistic in diverse environments. Example: Port xx is considered a flaw, but certain applications require the use of that port and if all applicable security remediation is applied to help mitigate the threat in the best possible fashion, the port is considered better secured rather than a continuing exploit.
This model then provides acceptable criteria to move down the tree as opposed to a pure metric model which would always flag the exploit as “not acceptable” thus impeding the acceptance of the security for whatever system is being analyzed. This technique is considered more “real world”.
Compartmentalizing attacks as probability vs. impact works extremely well for enterprise infrastructures as remediation is extremely simple to identify and techniques to remediate are open.
The only limitations are the subjective elements that are contained in the criticality ranking matrix and the non-compliance to a universal standard such as ISO-17799, HIPAA, Sarbanes-Oxley (404) and the like.
Return on Investment Valuation
A crucial factor that is often overlooked is Return on Investment (ROI) and its relation to security. ROI, when it pertains to Information Security, is often disregarded because it is often perceived that all security should be attended to irregardless of the financial upside or downside.
This is an improper methodology due to the fact that much in the way each and every security factor is perceived as crucial and examined quantitatively – e.g. there is a security risk so it must be resolved immediately or we might be at risk of a perceived loss. Which is the heart of the matter – perceived risk is different than actual or realized risk.
Organizations often purchase insurance, implement firewalls, intrusion detection/prevention systems, content filters, software restriction policies and yes, even corporate policies to offset risk. The question remains, given an issue, is it worth the time and cost, which can be broken down into such factors as man hours, finances (salaries, wages, etc.), diversion from other processes and the like to remediate the perceived risk?
A general ROI grid can answer those questions, because once a perceived risk is acted on, it has now become an actual or realized risk and has costs associated with it.
The following grid attempts to qualify and quantify ROI at a very high level. There are other more detailed ROI models that offer an inordinate amount of detail, yet this model attempts to help create dialogue and promote discussion of the risk and resolution and how it relates to ROI.
Note: Realized ROI is attained from the ongoing operations not inherently from the security assessment.
Risk Decision Vector Model
This model is a hybrid of the infrastructure risk assessment methodology. It has been expanded and curtailed to fit into an information technology scenario with a focus on operating systems. The RDVM is a practical, quantitative approach to making security related evaluations and decisions based on static criteria. The criteria attempts to aid management and security minded individuals to make balanced decisions given a set of findings.
Each aspect of the model dictates something that must be accomplished before the next step can be assumed. It is a serial and step-in approach that is purely quantitative in nature but does have some aspects of qualitative associations embedded in the process (e.g. arbitrary rankings of perceived threats is an educated evaluation rather than a structured metric).
Yazar, Zeki. “A qualitative risk analysis and management tool.” 2002. |
This provides a level of flexibility when making decisions that are considered to be more realistic in diverse environments. Example: Port xx is considered a flaw, but certain applications require the use of that port and if all applicable security remediation is applied to help mitigate the threat in the best possible fashion, the port is considered better secured rather than a continuing exploit.
This model then provides acceptable criteria to move down the tree as opposed to a pure metric model which would always flag the exploit as “not acceptable” thus impeding the acceptance of the security for whatever system is being analyzed. This technique is considered more “real world”.
Compartmentalizing attacks as probability vs. impact works extremely well for enterprise infrastructures as remediation is extremely simple to identify and techniques to remediate are open.
The only limitations are the subjective elements that are contained in the criticality ranking matrix and the non-compliance to a universal standard such as ISO-17799, HIPAA, Sarbanes-Oxley (404) and the like.
Return on Investment Valuation
A crucial factor that is often overlooked is Return on Investment (ROI) and its relation to security. ROI, when it pertains to Information Security, is often disregarded because it is often perceived that all security should be attended to irregardless of the financial upside or downside.
This is an improper methodology due to the fact that much in the way each and every security factor is perceived as crucial and examined quantitatively – e.g. there is a security risk so it must be resolved immediately or we might be at risk of a perceived loss. Which is the heart of the matter – perceived risk is different than actual or realized risk.
Organizations often purchase insurance, implement firewalls, intrusion detection/prevention systems, content filters, software restriction policies and yes, even corporate policies to offset risk. The question remains, given an issue, is it worth the time and cost, which can be broken down into such factors as man hours, finances (salaries, wages, etc.), diversion from other processes and the like to remediate the perceived risk?
A general ROI grid can answer those questions, because once a perceived risk is acted on, it has now become an actual or realized risk and has costs associated with it.
The following grid attempts to qualify and quantify ROI at a very high level. There are other more detailed ROI models that offer an inordinate amount of detail, yet this model attempts to help create dialogue and promote discussion of the risk and resolution and how it relates to ROI.
Note: Realized ROI is attained from the ongoing operations not inherently from the security assessment.
To use the model, simply examine the Risk Ranking and estimate its position on the grid based on the Risk Decision Vector Model and match the RDVM color code:
- Excellent – Tremendous Gain (Veritable Positive)
- Improved – Accelerated Advantage (Favors Positive)
- Average – Cost Justified (Vertical Neutral)
- Justified – Even (Horizontal Neutral)
- Low – Negative or Absent Benefit (Favors Negative)
- Poor – Downside Preference (Absolute Negative)
Comments
Post a Comment