Risk Assessment: Guiding Responsible Information Security Spending

27 02 2012

by Saad Noman

What assets do we protect? What do we need to protect the asset from? How much do we spend on protecting the asset? These are some of the questions that form the basis of information security and it is a domain covered under risk assessment. The risk assessment program is an on-going process that allows organizations to continually identify critical infrastructure/data, discover vulnerabilities and threats and develop associated treatment plans.  The aim of this process to have a clear roadmap of what needs to be done to mitigate risks and thus move towards building a secure environment in a budget friendly way. As United States General Accounting Office highlights– “risk assessments provide a basis for establishing appropriate policies and selecting cost-effective techniques” [1].

Just like in Software Development Life Cycle where you spend time on designing the application before coding/implementing, in information security too we need to first understand what environment is our organization operating in i.e. what the culture is, what are the mission critical processes/applications, and what are the threats. Only then can we establish an effective information security program that will address realistic scenarios that are likely to occur and have high business impact consequences.

Without having risk assessment, organizations are likely to overspend on security controls and yet completely miss out on the easiest penetration scenarios. For example, I’ve seen in my organization where we focus on protecting the infrastructure from outside threats (with DMZ, network penetration etc.), but there is no policy of protecting critical databases from internal employees. Currently, someone from development team can easily access a production machine using the application login id from their desktop – there is actually no security control around this.

Having a proper risk assessment framework yields valuable information and action-driven tasks that helps guide an organization how to approach security spending by understanding the magnitude of how risks can potentially harm the business. Risk assessment results provide a solid basis for building strong quantitative business case for security initiatives that otherwise may be difficult to justify to a Finance team that often say “we want to optimize budget” and “why is this necessary? we are doing just fine without it”.

To conclude, I think Sun Tzu perfectly stated in The Art of War that directly refers to the importance of proactive risk management:

“The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.” [2]


[1] United States General Accounting Office. “Information Security Risk Assessment.” November 1999.


[2] Sun Tzu, The Art of War quotation – http://thinkexist.com/quotation/the_art_of_war_teaches_us_to_rely_not_on_the/149712.html

The Art of Cyber War —- Keeping Hackers on a Tight Leash

29 09 2011

Many of us may have envisioned that future human warfare will be predominantly conducted in cyber space. Cyber warfare (CBW) may still be an abstract concept to the general population, but as information security professionals, we know that the battle has already begun. CBW includes not only international espionage, but also domestic intrusion into organizations’ information network systems, such as, corporate and banking networks and government databases. Countries are spying on each other and individual hackers are exploiting the vulnerability of information systems. The most frightening part of CBW is that it only takes one hacker to create extensive irreversible damages. Given the risk that we are facing, continuously revamping security systems and creating new techniques are not enough to confront invaders who are also upgrading and transforming and becoming more advanced. A more proactive effort to approach the challenge from other angles is needed.

The ancient Chinese military treaties, “The Art of War,” suggested a basic principle that applied to any kind of warfare; if you know your enemy as you know yourself, then you will always be in a win-win situation for every battle.  The underlying rationale of the principle is that one can only gain absolute control over the subjects or objects that they profoundly understand. In order to keep hackers on a tight leash, cyber security professionals need to study who and what they are against. This principle may sound exaggerated; yet its significance has been authenticated by the victory of wars won in Chinese history.

For this principle to work, a precondition has to be met.  We need to be experts of every aspect about ourselves, such as our goal for securing systems, our information management technology, our competence to secure the information networks, our ability to respond immediately to incidents, and our potential to improve and develop methodologies in the field. This is what many information security professionals are focusing on.

However, by accomplishing this precondition, we only have 1/3 of the probability to win the war, as Sun Tzu, the author of “The Art of War,” would say. To gain the other 1/3 of a chance to win, we need to study every aspect of the intruder’s aspirations. For example, who in the population is capable of being an intruder? What is the geographical information about this sub-population? Among them, do they have the kind of personality and motive to commit an intrusion? Are there any observable abnormal behaviors in their daily work? Where in the system would they be likely to start to act out? What kind of technique will they be likely to use?

Through scientific studies, including both experimental and non-experimental, we can have an objective understanding about the intruders. For instance, between 2002 and 2007, the inside threat study team at CERT collaborated with U.S. Secret Agents. Together they collected data about 250 cases of incidents that caused different levels of damage on the information system of affected organizations.1 The data significantly showed the general trends of the characteristic of the attackers.  Seventy-seven percent of the attackers were former or current full time employees.2  Eighty-six percent of the intruders held technical positions, including 36% system administrators, 21% programmers, 14% engineers and 14% IT Specialists.3 Although 96% of the 250 attackers are male, there was not enough evidence to support the hypothesis that hacking behavior is associated with gender.  The issues of random sampling and ratio of gender working in IT jobs can be two confounded variables. The subjects are demographically varied in terms of age, racial, gender, and marital status.

Researchers also found that the main motive of their action was revenge.4 The attackers, in 92% of the cases, were triggered by a unpleasant work-related event.5 After subjects experienced cognitive dissonant from the negative events, they were likely to develop a motivational drive to reduce their degree of discomfort by means of what was accessible to them. Thus, to use their specialty in technology and authentication to intrude into the network system is a way to retaliate against their employers. In addition, revenge is not only justified due to religious’ beliefs, but also it is due to concerns about social law reinforcement, such as the death penalty. For details of this finding, please refer to the original article.

After the above simply analysis, we now have a better idea of who are more likely to commit the violation of 18 USC §1030 and why they decide to do it. This sub-population needs to be studied explicitly to obtain the second 1/3 of winning probability.

For questions, you may contact me at yinghan@andrew.cmu.edu or make a common on www.theartofcyberwar.blogspot.com.

1.   Insider Threat Study, CERT at Carnegie Mellon University, May, 2008 https://www.cert.org/insider_threat/study.html

2.  Keeney M., et al., “Inside Threat Study: Computer System Sabotage in Critical Infrastructure Sectors,” U.S. Secret Service and CERT Coordination Center/SEI, May 2005

3.  Keeney M., et al., “Inside Threat Study: Computer System Sabotage in Critical Infrastructure Sectors,” U.S. Secret Service and CERT Coordination Center/SEI, May 2005

4.  Keeney M., et al., “Inside Threat Study: Computer System Sabotage in Critical Infrastructure Sectors,” U.S. Secret Service and CERT Coordination Center/SEI, May 2005

5.  Keeney M., et al., “Inside Threat Study: Computer System Sabotage in Critical Infrastructure Sectors,” U.S. Secret Service and CERT Coordination Center/SEI, May 2005