Skip to content

Measuring True Security Risk

COMPLIANCE TENDS to drive security. Perhaps it’s no wonder, then, that finding a way to make sure all the regulatory boxes are checked is high on the wish list of IT security managers.

But compliance and security aren’t always the same. Many experts say companies should spend additional time analyzing their security risks. With input from multiple departments, they should use this data to help optimize security spending.

These are some themes of two recently published reports. One, from the American National Standards Institute (ANSI) of Washington, and the Internet Security Alliance (ISA) of Arlington, Virginia, aims to help individual companies analyze, calculate, and budget for their unique risks. Another, from Verizon Business of Basking Ridge, New Jersey, shows how cyber and data loss risks differ across industries.

“The trouble [with compliance] is that it’s sometimes written by bureaucrats in a vacuum,” says Tom Wills, a senior analyst at Pleasanton, California’s Javelin Strategy and Research. Some major regulations, such as the Payment Card Industry Data Security Standard (PCI DSS) and Sarbanes-Oxley, apply to many different kinds of organizations, he says.

These rules do not, therefore, address all the relevant risks. Wills advises conducting threat assessments at least two or three times annually.

The ANSI-ISA report, The Financial Impact of Cyber Risk: 50 Questions Every CFO Should Ask, helps tease out a company’s unique risks with its question-and-answer format, according to an accompanying statement. Aiming to assess cyber risk from the perspective of “core business functions,” it recommends broad company participation, including involvement of “CFOs and other executives responsible for legal, business, technology, privacy, and other issues.”

The document also offers a number of risk calculations, which generally involve multiplying the severity of an event by its likelihood of occurrence. The calculations can also account for changes in risk and cost associated with handing data over to third parties. A list of existing standards is also provided to help firms develop an overall risk-management framework.

One way organizations can better align business and IT security goals on an ongoing basis is by giving business executives some security-related responsibilities, says Wills. He knows of one large financial company, for example, that formally evaluates the security performance of managers across the enterprise. In one section of their job evaluations, managers are assessed on how well they comply with corporate security policies, he says.

The Verizon Business report builds on a larger study published by the firm last summer. The 2008 Data Breach Investigations Supplemental Report analyzes differences in data breaches across four different industries: finance, high-tech, retail, and food.

In the financial sector, one conclusion was that some of the biggest threats came from inside, especially from privileged users. Finance was also the only area in which insiders represented a greater threat than third-party partners. Cyberattacks also tended to be more sophisticated in that sector.

Perhaps surprisingly, the highest rate of data loss from employee errors was in the high-tech sector. High-tech firms also had a relatively hard time tracking data and configuring systems. This is mainly due to the relative complexity of their technological environments, according to Bryan Sartin, a Verizon Business managing principal. Firms in this sector tend to run more systems, devices, and applications than those in other sectors, he says. As a result, “things tend to get misplaced or forgotten.” The sophistication of attacks and the high insider threat levels were similar in high tech and financial services firms.

Most data losses in both the retail and food-and-beverage sectors stemmed from outside attacks. About 70 percent of retail attacks involved hacking wireless systems. In the food industry, most attackers exploited weaknesses in data connections with third parties. Poor configurations, rather than application or software weaknesses, led to most break-ins.

The study reveals the extent of the differences in sector risk, says Dr. Peter Tippet, vice president of research and intelligence at Verizon. That’s just one more piece of evidence—if any were needed—that it’s important to avoid a “one-size-fits all” approach to security, he says.