Dimensions of security

I’ve been doing a lot of security awareness training internally over the last few weeks. I thought I’d share one particular way of looking at risks that we found useful.

One problem in risk analysis comes early in the process: identifying the risks you want to assess. People – even security professionals – tend to focus on big-ticket risks, like natural disasters or directed hacks. Why? Because we’re human, and we react to the media around us and to our instinctive fears – fire, flood, enemy attack. Some of these risks are real, and some may also be disastrous if not mitigated, but they’re rarely the most relevant to our day-to-day business operations.

So how do you make sure you’ve covered a wider range of risks, without getting bogged down in detail, or distracted by wild speculation? This latter is usually the wag in the room who pipes up with “What if there’s an asteroid strike on the data centre?”. No so funny after last week’s Russian experience, but still pretty unlikely, and I don’t think the board will be signing off on the space shuttle and roughnecks budget any time soon.

Our approach is to break risk down into two dimensions and two categories, with two inflections for one of the categories, as follows:

Dimensions

Endogenous risk relates to risks inside your organisation.

Exogenous risk means risk from the outside.

Categories

Intentional risk implies active malicious intent; this can be inflected as:

  • Directed risk is targeted at you, specifically.
  • Undirected risk affects you by chance, or as part of a wider spread of impact.

Unintentional risk results from accident or carelessness

Groups

Endogenous intentional directed – bad stuff done by your people to you on purpose. People on the inside are best placed to cause real damage, so worry about this. As you’ll see, though, there are other things to worry about more.

Endogenous intentional undirected  – means nothing: it can’t be intentional and undirected, if it’s internal: obviously they’re attacking you on purpose.

Exogenous intentional directed –for example, actual hackers actually hacking you rather than someone else. Your Hugh Jackman in Swordfish moment. This is on the rise; it could happen to you. But unless there’s a good reason for you to be a target, it’s not high on the likelihood scale. See below, too:

Exogenous intentional undirected – viruses and malware are the obvious examples. You are under attack from these agents right now – and so is everyone else. You’ve almost certainly been compromised. In some cases, this may open you up to a directed attack, once the malware phones home and the hackers find out what you’ve got. But don’t just think about technology: burglary is an exogenous intentional threat, too, and most burglars are opportunists – although, once more, you might also be a visible juicy target for an intentional intrusion, depending on what you do for a living.

Endogenous unintentional – the big kahuna. If you worry about one thing, worry about this. The greater part of all your infosec risk arises from staff negligence and, frankly, stupid behaviour. Not only is this your biggest risk, it’s also the one you benefit most from fixing, as the mitigation is usually process improvements and training, which will filter through to productivity and customer satisfaction as well as information security.

Exogenous unintentional – flood, fire, famine, pandemic, earthquake, asteroid impact. But not just the big, rare, scary stuff. Also the transport strike, the local power outage, the network congestion, the currency crisis – anything that the outside world can throw at you that might threaten the confidentiality, integrity or availability of your data and by extension your business.

Conclusion

So we end up with five groups of risk:

  1. Endogenous-intentional-directed
  2. Exogenous-intentional-directed
  3. Exogenous-intentional-undirected
  4. Endogenous-unintentional
  5. Exogenous-unintentional

Work through each group, brainstorming the list and plotting each one on a typical likelihood/impact Boston square. Then go away to work out all the usual cost/benefit mitigation analysis, starting with the stuff in the top right corner – high likelihood, high-impact. You’ll end up with a manageable risk analysis exercise that has only just enough Hollywood seasoning to keep it interesting.

5 thoughts on “Dimensions of security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s