Posted by:
admin
15 years, 8 months ago
There is a very interesting article (and old one - sorry, I'm running behind) on CSO Online called Value Made Visible about how American Water's Bruce Larson has developed a security metric call Value Protection:
The idea then is to have your VP as close to one as possible. I've looked at this a number of times and it just never makes sense, though I hate to knock anyone that is measuring and managing against that measurement, in particular in the vague world of information security.The basic Value Protection metric is a ratio that looks like this: Value Protection = Normal Operations Cost ($) – Event Impact ($) / Normal Operations Cost ($). In formula:
VP = (N – E) / N
An example would be that your normal operating costs are 1,000,000. If an Event Impact costs $500,000, your VP is 50%, which is really bad. Here's what I don't get: Why divide my N? Why not just say it be N/E? I guess that they are looking at different impacts between possible events, so that an annual VP would look like AVP=AN-(E1+E2+E3+En)/AN? If they are looking at individual possible events, I think a holistic approach would be better. Your SIM, for example, can protect against multiple events.
I really like the way they figure the estimate Event Impact - which seems to be very close to Average Loss Expectancy:
Event impact E is the sum of five types of costs that result from an event. Those cost types are: response costs (Rp), recovery costs (Rc), cost of penalties (Pn), costs associated with lost revenue (LR) and costs related to a damage in perception or reputation (Pc).Larson also includes only numbers where he has hard figures. So costs to reputation are rarely included. While that may tend to reduce the costs, it increases the credibility of Larson's numbers internally.
Larson also has this bon mote:
Value Protection is Larson's attempt to overcome security's classic problem of seeming like nothing but a drain on the business. "Look, business units do one of two things: increase revenue or increase efficiency," Larson says. "We don't bring in revenue. So then you say, 'OK, then you're making the business more efficient, right?' Well, no, we don't do that either. So, if those are the two possible goals of a business unit and we don't fulfill either, then I'm confused.I would say that business create value in three ways: increase revenues, increase efficiency and reduce risk. If mapped out the potential cash flows that include expected losses with varying levels of security, from none to uber-tight, the variance would make the rate of return very high. If you eliminate the worst case scenarios by investing in information security, the rate of return increases dramatically and that creates value. Share on Twitter Share on Facebook
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)