This document discusses data security metrics and a value-based approach. It introduces common objections to data security investments and argues that anything can be measured. It then outlines why metrics are important for data security and why quantifying risk is beneficial. The document describes typical data security metrics and provides an example of a quantitative risk model. Finally, it discusses measurement methods and how continuous improvement is important.
Writing An Effective Security Procedure in 2 pages or less and make it stick
Data Security Metricsa Value Based Approach
1. Data security metrics and
a value based approach
Licensed under the Creative Commons Attribution License
Danny Lieberman
dannyl@controlpolicy.com www.controlpolicy.com
2. Why?
“I don't need data security, we outsource our IT to one of the big banks”
“It's never happened to us before”
“You can't estimate asset value”
“We encourage risk taking”
“I don't take risks”
True quotes from real people
3. Agenda
• Introduction and welcome
• What is data security?
• Anything can be measured
• Why metrics?
• Why quantify risk?
• Measurement methods
• Continuous improvement
• Questions and answers
5. What the heck is data security?
• Security
– Ensure we can survive & add value
• Physical, information, systems, people
• Data security
– Protect data directly in all realms
6. Anything can be measured
All exact science is based on approximation.
If a man tells you he knows a thing exactly, then you can be safe in
inferring that you are speaking to an inexact man.
Bertrand Russell
7. Data security metrics
• Dimensions
– organization, channel and content
• Typical metrics
– % of employees that signed the AUP
– % Webmail traffic/all mail traffic
– % Office files by Webmail/Employees
– No. of revenue transactions
– Cost of security for operational/revenue systems
– Cost of security for customer service systems
– Cost of security for FnA systems
– Value of assets in Euro
– Total value at risk of assets
8. Why do we need metrics?
• Recognize this? The easy part of information security
(running the appliance, discovering
vulnerabilities, fixing things and
producing reports)
Ignores the hard stuff; quantification and Ignorance is never better than
prioritization of your actions based on
financial value of assets and
knowledge
measurement of threat impact
Enrico Fermi
9. Why bother quantifying risk?
• Why not qualitative metrics?
When was the last time a customer paid a
“qualitative price” ?
10. Quantitative risk model(*)
Value at Risk
Metrics =Threat Damage to
Asset value, Asset x Asset Value x
Threat damage to Threat Probability
asset,
Threat probability
(*)
PTA -Practical threat analysis risk model
11. Quantitative risk model benefits
• Run security like you run your business
– Quantify and prioritize actions in Euro/USD
– Justify data security investments
• Measure improvement
– Reduced risk
– Lower costs
12. Measurement methods
• Hand sampling
– Small samples of employees, routers...
• The “Rule of 5”
• Expert estimates
– The CFO
• Pros at asset valuation
• Test equipment
13. Test equipment
Management
Provisioning
Events
Reporting
Policies
Data Document Forensics
Warehouse Server
Detection point
Interception
Received: from [172.16.1.35]
Session
Decoders (-80-230-224-
Message
Policies ID:<437C5FDE.9080>
Countermeasures “Send me more
files today.