Despite this increased awareness and the persistent recommendations for improvement, key areas of information-security risk management and associated risk metrics continue to receive precious little attention. Although many guidance documents advocate taking a managed approach to risk — including risk analysis and assessment — none of them clearly and consistently define what constitutes a proper risk analysis and assessment. Even the well-known ISO 17799 standard falls well short of providing the kind of nuts-and-bolts “how-to” guidance that is needed, in my opinion.

The lack of formalized qualitative and quantitative risk metrics impairs the ability of risk managers and security professionals to effectively and consistently measure risk and points to the absence of a sound framework against which to record quantitative threat-experience data. Establishing a risk-management framework and risk metrics would greatly improve risk management by giving organizations a basis for risk analysis and assessment that would enable them to make business decisions about managing security risks.

SOME PROGRESS MADE As early as the mid-1970s, the basic metrics of risk were established, but they were not formalized or widely disseminated. In these early years, a variety of risk-assessment methodologies and techniques emerged to help organizations identify and manage nonclassified information-security risks on a cost-benefit basis.

Some of the manual methodologies and automated approaches that were developed during the 1980s were well-conceived and are still used today. Other approaches fell by the wayside. Highly subjective qualitative methodologies provided no real support for the standard business decision-making model, which is based on return on investment (ROI).

Username:   Email:   Password: Confirm Password:   Join our new forums at WebProWorld! Ask your toughest questions or help your peers solve their issues.

Topics   Replies   Author  Spam mail by others using my address 5 hypno Wireless networks - secure or not to secure? 5 Kilawa Moving servers now ftp troubles 1 MartinHa downloading sensitive information from a secure server 10 EricS looking for password management 3 steve-parrott

Conducting quantitative risk assessments without supporting automated tools proved to be almost impossibly time-consuming, complex, and inflexible. Also, they were completely incapable of supporting the “what-if” analysis that is essential to sound business decision-making. The inconsistent use of risk metrics and misinformation about risk further clouded the issues.

There has been progress in developing information-security risk metrics over the past two decades, but there is still a way to go before standard metrics are established, adopted, and practiced. To start with, the need to identify, measure, and manage information-security risk has been established and subsequently reinforced, albeit tentatively. The U.S. National Institute of Standards and Technology identified key qualitative and quantitative risk metrics and established a high-level framework of the risk-analysis and assessment process related to the broader function of information-security risk management, but this work was never formalized. Many organizations have published information-security risk-management guidance, including:

• The International Information Security Foundation (IISF) Generally Accepted Systems Security Principles (GASSP).
• The International Standards Organization (ISO) ISO 17799.
• The Organization for Economic Cooperation and Development (OECD) Information Security Principles.
• The European Information Security Forum (ISF) Standard of Good Practice.
• The Institute of Internal Auditors (IIA) Systems Assurance and Control (SAC).
• The Information Security Audit and Control Association (ISACA) Control Objectives for Information and Related Technology (CobiT).

However, in most of the above documents and other guidance, the essential distinctions between control objectives and controls is either not clearly established or is not established at all. If the managed risk approach to information security were not recognized as the best way to achieve good information security, this would not be a big deal. But it is. It is virtually impossible to measure risk against “objectives,” but it is not difficult to measure risk against the lack or ineffective implementation of controls.

In addition to the above guidance publications, the Information Systems Security Association (ISSA) Guidance for Information Valuation has established methods and metrics for valuing an organization’s information assets. Critics who are unaware of this guidance have asserted that the lack of such metrics is an obstacle to executing quantitative risk analysis and assessment, because organizations don’t know how to establish the monetary value of their information assets.

Additionally, a variety of automated disaster-recovery planning, logical access-control, antivirus, authentication, encryption, and firewall technologies have helped organizations manage information security. But, that said, without applying quantitative risk-analysis and assessment techniques to the issues, there is no reliable basis — specifically ROI — for determining how much money to spend to acquire and administer these risk-management tools.