- Overview
- Interview with Dr. Cole
- Student Comments
- Domain 1: Access
- Domain 2: Network
- Domain 3: Management
- Domain 4: Application
- Domain 5: Cryptography
- Domain 6: Architecture
- Domain 7: Operations
- Domain 8: Planning
- Domain 9: Law
- Domain 10: Physical
- ROISI Overview
- Category: Security Management Practices
Authors: Terry Martin, Alexandra Bakhto, and Adrian Mizzi
Date Added: March 30th, 2007
Introduction
A common thread running throughout an organization is the need to establish the business case for information security and embed it in policy. An information security policy will fail if it does not demonstrate support for the core objectives of the organization and have its case championed in the executive suite.
Even if it gains adoption as a result of a shift of priorities typically seen in the aftermath of a security breach, a good policy needs to anticipate the fickle nature of executive support by putting forward a business case demonstrating ongoing and measurable tangible and intangible benefits to the organization.
In this paper, we interview Adrian Mizzi, MBA, and gain insight into what this means in the mind of the executive suite. We explore an overview of the structured decision support process necessary for the gatekeepers of the organization to make the decisions necessary to meet the objectives of the information security professional.
The Essential Question
After the threat and risk assessment has been conducted and a solution set is costed and proposed, the essential question that remains for the executive suite is "how much of the solution set is enough?" The answer to this question ranges from doing nothing to implementation of the full solution set, and the decision requires a support framework.
Opening the Door to the Executive Suite
Q. Adrian, you completed your master's of business administration with a thesis analyzing this issue. If we brought a policy proposal containing the business case to your chair in the executive suite, what would you want to see as the first paragraph of the business case section?
A. It has become standard organizational practice that organizations publish vision and mission statements describing what the company is all about and how they intend to go about doing it.
For example:
Our goal is simply stated. We want to be the best service organization in the world.- IBM
Google's mission is to organize the world's information and make it universally accessible and useful.
The organizational strategy flows from these statements. The strategy contains high-level elements of what needs to be done to achieve the mission of the organization, thus fulfilling the vision, the raison d'être of the organization. As the top-level strategy cascades down from the board to the CEO and the key executives, somewhere down the line we find the information security policy that should ideally contain elements of the top-level organizational objectives.
Example from Health Care
Q. Public sector organizations typically have different objectives than those in the private sector. For example, in British Columbia, health care services are primarily provided by bodies of the provincial government called Health Authorities.
An excerpt from the published strategic plan assembled under the direction of the various CIOs is shown here:
Farther along, in a section titled Guiding Principles, a number of points are set out, including
An Easy Policy to Build To
Q. This is plainly an easy top-level policy to build to, mostly because the authors have articulated top-level leadership guiding information security policy. When the executive suite fails to provide such clear support, how does that trickle down through the culture of the organization?
A. In this case, there is a clear continuation between the vision and the Infosec policy. "The right information in the right hands at the right time" is the definition of "confidentiality" in laymen terms. This is repeated in the definition of Confidentiality in the Guiding Principles.
Paranoia, Not Business Values
A. However, as you suggest, information security policies are frequently governed by paranoia and not by business values. Most probably drafted by engineers and not by business executives, policies will contain technical jargon that can instill fear in those reading it. Do this. Don't do that! Bombarded by emerging security standards and policies such as ISO 17799, an information security policy might require more personnel to set the necessary controls than the organization resources can permit, particularly in SMBs.
SANS Sample Policies
A. SANS publishes a set of policies that can organizations can use at no cost. For example, here is an extract of the overview to the InfoSec Acceptable Usage Policy:
Infosec's intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to <Company Name> established culture of openness, trust and integrity. InfoSec is committed to protecting <Company Name>'s employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.
Nevertheless, in practice, I know of cases where the IT department disallowed users to save mp3 audio files and when challenged by the marketing department, the IT administrator said, "The policy does not allow users to save mp3 files on the company machine." In this case, the audio files were required for a radio advertisement. More recently, the use of instant messaging (IM) is becoming accepted as the means of communication between employees, but I am sure that many policies exist that prohibit the use of IM for security reasons.
Align Policy with Organizational Objectives
Q. Would you agree that the first paragraph of the business case section of an InfoSec policy should be a statement of the organization's top-level objectives?
A. The first paragraph should, at the very least, capture aspects of the top-level objectives. If the organization's HR objectives are to "foster ad hoc informal communication among employees so as to increase productivity," the InfoSec policy should not contradict this. This does not mean that the IT department should not put the necessary control mechanisms in place.
For IBM to be the best service organization in the world, this must be captured in its InfoSec policy. I am a firm believer that when done right, security can be a business enabler and not a business inhibitor. So yes, I agree that the organization's top-level objectives should be reflected in some shape or form in the security policy. In practice, copying and pasting an InfoSec policy might not do justice to the organizational goals, which are different from one organization to another.
A not-for-profit organization or a state agency has different organizational goals than the business enterprise whose objectives are to maximize profits or, as the thinking goes these days, to increase shareholders value. I believe, and my work tends to focus on this area, that likewise IT security measures should increase shareholder value. This is why I preach that information security practitioners should increasingly use business techniques to evaluate information security expenditure in a business context. For example:
As a provider of software, services and monetization for users, advertisers and publishers on the Internet, we feel a responsibility to protect your privacy and security. We recognize that secure products are instrumental in maintaining the trust you place in us and strive to create innovative products that both serve your needs and operate in your best interest.
Here, Google makes no direct referral to the overall mission statement but does make it clear that it has a "responsibility to protect" its users.
Offset Cost with Value
Q. One way or another, securing information has a cost that needs to be offset by value to justify the investment. Can you provide some guidelines on what you expect an organization's position to be in terms of what it is willing to spend to protect its information assets?
A. Of course, it depends on the nature of the organization; however, I would look for the following elements.
First, the organization should specify the components of its information assets that it is willing to put at risk by virtue of it, say putting them online. This may be a complex process to determine, as here we are dealing with the intangible assets of the business.
Whatever the case, however, I would expect that the organization is fully aware of the information assets at stake, and it is useful to have this as a percentage of the total information assets of the organization.
A brick-and-mortar shop planning for an online portal has less at stake than a virtual organization that operates fully on the Internet. Let's keep in mind that we might be talking of significant amounts. Consider the recent case where information stolen from the systems of massive retailer TJX was used fraudulently in an $8 million gift card scheme. This happened one month before TJX officials said they learned of the breach, according to Florida law enforcement officials.
The health organization that has embedded in its policy that information will be shared "on a need to know basis" needs to be careful about what information it puts on its online portal. At the design stage, you can specify that although some information is stored in the backend health database, this should not appear in the online portal. In summary, the organization should make clear which information assets that it is willing to risk by the electronic initiative. Hardcore security personnel might argue that if it's online, it can be compromised. Simply put, the investment in security should be commensurate with the risk, and unnecessary risk represents unnecessary costs.
Inventory the Assets
Q. This is reflective of the inventory process we referred to in our paper "Threats to Physical Security" in Domain 10. When we know what we are protecting, it seems clear that we need to identify what we are protecting it against, and that is usually where the costs begin to crystallize. Can you speak to that?
A. Yes, secondly, I would look for the security problem in question. Are we protecting against insider attacks? Ex-employees? Hackers? Customers? Depending on the situation, I would like to see an estimate of what it would cost to build the defense mechanisms, such as antispam software, vpn appliances, multi-factor authentication gadgets, and so on.
How Much Should We Spend
Q. At this point, we would know what we are protecting and what we need to protect it against, and now we need to get to a place where we know how much we should spend on the solution.
Can you address this?
Cost to Break
A. This is perhaps the most difficult part. After we have costed and proposed a set of solutions, what we need to know next is what it would cost to break (CTB) the proposed defense mechanisms.
The relevance of CTB is that, in the same way as there is a cost to the asset owner for protective systems, there is a corresponding cost to the attacker to break the defense systems. We need to know what that is likely to be to determine the motivation to attack. A high CTB is obviously a disincentive to an attack.
Again, this requires the involvement of security experts, although at times, common sense, followed by brainstorming and focus groups, can be used to reach an estimate. A portal that allows visitors to authenticate using simple username and password (U/P) can be compromised easier than one that allows multifactor authentication.
The CTB might range from zero in the case of password guessing or a rogue employee disclosing the U/P outside of the company, to a significant dollar figure, for example, bribes to subvert trusted personnel.
Cost to Build
A. The cost to build (B) might be zero in the case of the U/P system and might be into the $200,000 region for a $5 token and a 40,000 client base. Although there is usually a direct relationship between Cost to Build and Cost to Break, it is not necessarily a given. Even an expensive solution might be broken inexpensively by stupidity or neglect. Training is an important investment.
Damage from an Attack
Q. So, we have identified and quantified a number of variables in determining the answer to the simple question, "How much is enough?" We have the value of the assets, a range of costs for solutions of varying effectiveness, and an idea of the deterrent based on the Cost to Break. What else do we need to consider?
A. Another important aspect is the damage (D) that can be done in one attack. A denial of service (DOS) attack on an international web site can result in loss of revenue that clocks $100,000 per hour. The limit of transactions in an e-banking application might be an estimate of the exposure that the organization might have by a single unmitigated attack.
These are among the most important parameters that are the basis of the analysis. Using this information, we then build the Return On Information Security Investment (ROISI) triad. Basically, we get an estimate of the success of an attack, the motivation to attack, and the viability of expenditure.
ROISI Triad
All these are probabilistic functions that allow us to analyze extreme cases.
Summary
Q. Obviously, there is a lot more to consider than what we discussed here, particularly with respect to infinitely changing variables. One of the needs that have been identified through our research is the desire by the executive to not only know the answer to "how much is enough," but to also know how the posture of the organization measures up in comparison to its enterprise peers.
To me, this means a need for standards. You have developed a framework that explores in depth the viability of expenditure; however, that is beyond the scope of an introduction, and I would like to explore it in detail in future papers.
In addition to suggesting that security policy be aligned with the objectives of the organization, we examined how to approach the problem of embedding ROI in policy, and touched on a discussion of the framework necessary to manage such a complex issue. To conclude this paper, can you summarize what ROISI means to the management of information security?
A. An organization should not spend more on its information security than the total cost of the portion of information assets that may be lost via an incident of any type. An attacker is not expected to spend more than it costs to build the defense mechanisms but may be prepared to spend less than and possibly close to the value of the information loss that would be incurred by an organization.
By adopting an organized approach to the analysis, ROISI provides the formula that can support a decisive answer to the essential question, "How much is enough?"
