Tuesday, July 8, 2008

Quantifying Risk & ROI In Vulnerability Assessments

Question: What is the course for the budget-strapped executive, who assumes that the current security systems are good enough, robust enough, and up-to-date enough to stop the next wave? How does he prove due diligence, and assure all stakeholders that their confidence in the systems under his control is well placed? A difficult, costly and often intimidating process!

Clearly, the only solution is to monitor and assess the exact vulnerability state of every component of the infrastructure constantly and consistently. Outsourced security operations will offer many advantages and excellent services in this regard, which can greatly enhance the overall security level of the enterprise. Costs, however, are often difficult to justify in real terms, and for most security spends a true ROI is difficult.

Where the risks are clear, the solution is often seen as a necessary evil rather than an investment, but where vulnerability assessments are concerned, determining an accurate ROI can be a highly involved process, and is practically impossible to achieve in isolation.

The real return on investment for vulnerability assessment technology and technical audit services cannot be determined simply as a factor of risk mitigation, but MUST also incorporate the improvement effect that these systems have on ROI calculations for more specific security architecture, such as firewalls, IDS, biometrics and the like.

To illustrate this concept:
the necessity of a firewall is clear for any Internet-connected concern, and its worth can be clearly demonstrated in pure risk mitigation and network protection terms. The continual stringent maintenance and accurate configuration of that firewall, however, directly impacts its effectiveness and therefore its worth, and hence ROI.

Regular assessment of its configuration, and timeliness of patching newly discovered problems, maintains or increases the effectiveness, and therefore the worth of that firewall.

True ROI calculations for vulnerability assessment must include the real threat that a compromise of these assets poses to the security of other, linked and/or underlying systems, data, and processes.


  • The value of information is often considered to be at least as important as the value of a company's physical assets.
  • Protecting the confidentiality, integrity, accuracy and accessibility of company information is important to a firm's ability to function in today's business environment.
  • A breach of a company's information systems could result in the disclosure not only of its information, but also its trading partners' sensitive data.
  • Biggest threat is unauthorized users - including insiders, hackers, corporate raiders / intelligence gathering companies (they use and sell this information to other companies), professional criminals.
  • Most E&O, liability, business continuation and property insurance policies require a proactive security policy - and vulnerability assessments go a long way in satisfying that requirement
  • Statistically, the average percentage of a firm's information technology budget that is spent on information security is between 1-2% of average revenues
Three drivers in decision to proceed:

What is the loss resulting from a breach occurring?

  • Downtime
  • Compromised / damaged / stolen data
  • Monetary cost
  • Legal costs
  • Costs related to loss of system / data availability
  • Lost business
  • Internal / external services to correct / remediate situation
  • Costs related to loss of information integrity / confidentiality
What is the probability of a threat occurring?
  • Challenge, status or thrill
  • Every day, your network is being scanned and probed by a variety of automated tools and people seeking nothing more than "breaking in". This occurs whether you know it or not - guaranteed, so the threat is indeed real - it's happening today.
  • Most first time exploits go undetected. You usually don't know about it until it is too late and the damage has been done.
  • Damage to electronic assets, data, reputation or ability to conduct business.
  • Can occur purposefully, by accident or by random "luck of the draw"
  • Loss of customer trust
  • Ability to win future business
What is the / probability that that a threat would be successful?
  • Probability of an asset being compromised can be estimated based on the availability and ease of performing the exploit and the attractiveness of the target.
  • This probability of compromise is then combined with the possible loss or cost resulting from a security breach to determine a risk value for the asset.
  • Until an assessment is performed you don't know how available or easy it is for a vulnerability to be identified and exploited.
  • What you don't know, CAN hurt you.
  • Unknown vulnerabilities make a target very attractive and without regard to the company or what it does, once vulnerabilities are identified they are posted on various Internet sites for all to see - and take advantage of.
  • Firewalls are not enough.
Your investment is small relative to the cost of a vulnerability being exploited!

No comments: