This is the third part of our Business Justification for Data Security series (Part 1, Part 2), and if you have been following the series this far, you know that Rich and I have complained about how difficult this paper was to write. Our biggest problem was fitting risk into the model. In fact we experimented and ultimately rejected a couple models because the reduction of risk vs. any given security investment was non-linear. And there were many threats and many different responses, few of which were quantifiable, making the whole effort ‘guestimate’ soup. In the end , risk became our ‘witching rod’; a guide as to how we balance value vs loss, but just one of the tools we use to examine investment decisions.

Measuring and understanding the risks to information

If data security were a profit center, we could shift our business justification discussion from the value of information right into assessing its potential for profit. But since that isn”t the case, we are forced to examine potential reductions in value as a guide to whether action is warranted. The approach we need to take is to understand the risks that directly threaten the value of data and the security safeguards that counter those risks.

There’s no question our data is at risk; from malicious attackers and nefarious insiders to random accidents and user errors, we read about breaches and loss nearly every day. But while we have an intuitive sense that data security is a major issue, we have trouble getting a handle on the real risks to data in a quantitative sense. The number of possible threats and ways to steal information is staggering, but when it comes to quantifying risks, we lack much of the information needed for an accurate understanding of how these risks impact us.

Combining quantitative and qualitative risk estimates

We”ll take a different approach to looking at risk; we will focus on quantifying the things that we can, qualifying the things we can”t, and combining them in a consistent framework. While we can measure some risks, such as the odds of losing a laptop, it’s nearly impossible to measure other risks, such as a database breach via a web application due to a new vulnerability. If we limit ourselves only to what we can precisely measure, we won”t be able to account for many real risks to our information. Inclusion of quantitative assessments, since they are a powerful tool to understand risk and influence decisions, help validate the overall model.

For our business justification model, we deliberately simplify the risk assessment process to give us just what we need to understand need for data security investments. We start by listing out the pertinent risk categories, then the likelihood or annual rate of occurrence for each risk, followed by severity ratings broken out for confidentiality, integrity, and availability. For risk events we can predict with reasonable accuracy, such as lost laptops with sensitive information, we can use numbers. In the example below, we know the A

ualized Rate of Occurrence (ARO), so we plug with value in. For less predictable risks, we just rate them from “low” to “high”. We then mark off our currently estimated (or measured) levels in each category. For qualitative measure, we will use a 1-5 scale to , but this is arbitrary, and you should use whatever scale that provides you with a level of granularity that assists understanding.

Risk Estimation: Credit Card Data (Sample):


p style=”font: 12.0px Helvetica; min-height: 14.0px”>

Risk Likelihood/ARO C I A Total
Lost Laptop 43 4 1 3 51
Database Breach (Ext) 2 5 3 2 12

This is the simplified risk scorecard for the business justification model. The totals aren”t meant to compare one risk category to another, but to derive estimated totals we will use in our business justification to show potential reductions from the evaluated investment. While different organizations face different risk categories, we”ve included the most common data security risks here, and in Section 6 we show how it integrates into the overall model.

Common data security risks

The following is an outline of the major categories for information loss. Any time you read about a data breach, one or more of these events occurred. This list isn”t intended to comprehensive, rather provide a good overview of common data security risk categories to give you a jump start on implementing the model. Rather than discuss each and every threat vector, we will present logical groups to illustrate that the risks and potential solutions tend to be very similar within each specific category. The following are the principal categories to consider:

Lost Media

This category describes data at rest, residing on some form of media, that has been lost or stolen. Media includes disk drives, tape, USB/memory sticks, laptops, and other devices. This category encompasses the majority of cases of data loss. Typical security measures for this class includes media encryption, media “sanitizing”, and in some cases endpoint Data Loss Prevention technology.

  • Lost disks/backup tape
  • Lost/stolen laptop.
  • Information leaked through decommissioned servers/drives
  • Lost memory stick/flash drive
  • Stolen servers/workstations

Inadvertent Disclosure

This category includes data being accidentally exposed in some way that leads to unwanted disclosure. Examples include email to unwanted recipients, posting confidential data to web sites, unsecured Internet transmissions, lack of access controls, and the like. Safeguards include email & web security platforms, DLP and access controls systems. Each is effective, but only against certain threat types. Process and workflow controls are also needed to help catch human error.

  • Data accidentally leaked through email (Sniffed, wrong address, un-purged document metadata)
  • Data leaked by inadvertent exposure (Posted to the web, open file shares, unprotected FTP, or otherwise placed in an insecure location)
  • Data leaked by unsecured connection
  • Data leaked through file sharing File sharing programs are used to move large files efficiently (and possibly illegally).

External Attack/Breach

This category describes instances of data theft where company systems and applications are compromised by a malicious attacker, affecting confidentiality and integrity. Typical attacks include compromised accounts/passwords, SQL Injection, buffer overflow, web site attacks, trojans, viruses, network “sniffers” and others. Successful compromise often results in installation of additional malicious code. While not the most frequent, this category includes the most damaging data breaches and is most likely to be result in fraud. Any security precautions may assist in detection; but assessment, penetration testing, data encryption, and application security are common preventative controls; with application & database monitoring, WAF, and flow based detection popular as detective controls.

  • Data theft through compromised account (weak passwords)
  • Database breach (Databases are extraordinarily complex applications. The term “database breach” applies to many different types of attacks on a database server)
  • Web application reach (logic flaw, exploit)
  • Database breach by insider (employee, partner, contractor)
  • Breach via compromised endpoint

Remember that is evaluation is risk based; we”ll cover potential loss measurements in the next section. While this might seem counterintuitive, this method allows us to account for security controls that reduce potential losses from multiple risk categories and reduce complexity. Remember – we are focusing on business justification, not a comprehensive risk management system. We wanted to couple quantifiable and qualitative elements; otherwise every justification project would become a 2-year risk assessment.