Andy Jaquith's new excellent book, Security Metrics is a must-read for any anyone even slightly interested in getting more scientific about the Art of Security or perhaps even looking to rise up in unison against subjective, biased, sometimes excellent, oft-times not, auditors and other security reviewers that second guess everything you do (no offense to you good auditors out there ;-)).
There is, however, one area that is surprisingly naive and worth calling out, especially since people like SHRDLU at Layer8 and Alex at RiskAnalys.is are reinforcing it. Both have echoed their support for Andy's attack of annual loss expectancy and information asset valuation. Essentially, they are all saying that it feels good not to worry about it because it is hard or impossible to do. Ouch.
In my mind, this is an endorsement of the Donn Parker approach to risk management which is to not manage risk. It is like suggesting that a fundamental truth about the universe can simply be ignored.
There is one glaring problem with this line of reasoning - it is impossible to ignore loss expectancy and asset valuation in risk management.
This is as fundamental a problem as we have in information security today.
The truth is: whether you like it or not, every decision made in your life is based on value judgement. Philosophers wax profoundly about this; economists work to measure it. In information security and risk management, you can be either a philosopher focused on some intangible value associated with the inner peace of managed risk or you can be an economist working to understand the IT environment so it can be properly characterized and assigned some level of scale. In either case, you are acting within the realm of value and tradeoffs.
Before I go further, I should mention that Andy is correct in his book in asserting that these financial value numbers are not metrics per se - they could, however, be used as one piece of a ratio metric, for example, but on the face of things they are not.
Metrics aside, to make a bold statement that you can safely ignore loss expectancy and asset value is incorrect: as I mentioned, you can't get away from it. In fact, it is worse than incorrect if others are going to pick up on it and perpetuate it - and to target this issue in a metrics book is really bizarre.
Your risk management decisions are always associated with the question "is it worth it?" and therefore must at least implicitly include a judgement call about value for every decision you make. So if your decision process includes "winging it" then you can pretend to ignore value and loss, but you really haven't - you've just made it so personal and malleable as to create ambiguity everywhere and justify anyone's position.
For some reason, people want a universal notion of value in infosec, even though we don't have it anywhere else in the world - without different perspectives on value, there can be no financial markets. Even within the scope of currency, exchange rates are constantly fluctuating. Some people will pay $3k for Notre Dame football tickets and some won't. Heck, the concept of "goodwill" in accounting was specifically created to collect the result of value differences.
From a financial perspective, the only thing that matters is that the appropriate people agree on the valuation; anyone else can freely disagree without changing the decision at hand.
Another criticism is that valuation (like metrics) can be "gamed". True enough. But they can't be cloaked in ambiguity like qualitative judgement can. They may not be precise, but they are certainly clear. With specific valuation, one can recognize scale at the very least - to calibrate the security professional's version of "high risk" with the executive's version of same, for example.
The real problem people have with ALE and asset valuation is that it is too "hard". This depends on how and where you start. At the very least, collecting costs and assigning that as a "minimum value" representation is not hard to do. An "overhead" value can even be applied to resources across the board, the same way accountants do it. And perhaps in the near-term future we'll be able to use methods that mirror activity-based costing. Your accounting department may already be doing this. Even if they aren't, this is not a difficult issue.
You can evade the clarity that comes with quantification, but you can't get away from value and loss.
Your criticism is FAIR enough (sorry, couldn't resist). I actually have not offered an alternative.
I believe the alternative lies in processes, not assets.
But measuring the value of a process, unless you've got some hot shot consulting company (*cough*) is problematic.
Hopefully someone will figure it all out and distribute the answer using some open or semi-open license.
Posted by: Alex | April 18, 2007 at 07:38 PM
Been following the draft work for ISO 27004? It's all about setting an international standard for infosec measurements. Essentially, layering on top of 27001 system for managing controls (controls being in 17799). Lotsa tough math in there... but I see that as a good thing.
Posted by: PlanetHeidi | April 19, 2007 at 10:47 AM