What does it really mean to a business? Too often security is proposed as an absolute - either you are secure or you are not. Industry statistics like the oft-quoted FBI/CSI survey further fan the flames of information insecurity. But savvy information security professionals know that security is not an absolute but a relative term. This begs the question: relative to what? The consequences of a business's relative insecurity will be primarily economic in nature. Most of the impact will be the loss of economic production, mainly IT downtime.
The relationship between information (in)security and downtime elevates the need to perform an economic cost-benefit analysis when evaluating security risks, tradeoffs, and implementation alternatives. One of the greatest challenges in performing risk assessment is understanding the impact of relative insecurity from a business as opposed to an IT point of view. That relationship requires an understanding of the importance of IT and its relationship to an overall organization's business objectives. This 'business-centric' IT perspective is difficult to identify and even harder to cultivate in a security context. Companies need to share information and provide outside access to critical systems today more than ever. If Wal-Mart allows Procter and Gamble to manage the inventory of Tide on its shelves, how does Wal-Mart properly assess the security risk in this era of information technology glasnost?
We define information security as the management of information technology risk in pursuit of business objectives. Risk management has many components and is well understood by most business managers, financial organizations and insurers who earn their living on analyzing and placing bets on risk. Risk typically has two components, non-systemic (or credit) risk which can be diversified away, and systemic (or market) risk which cannot. Assuming the markets are frictionless, an investor in a company can always diversify the risk by purchasing more than one company's stock.
In another example, when an insurer underwrites a policy for protection against fire, it is placing a bet that it can generate enough revenue from insurance premiums on many different properties to offset any payments that it has to make in the (unfortunate) event of a fire. Because fires tend to be isolated events (the 1666 Great Fire of London, the Chicago fire of 1871, and the fire that burned most of San Francisco after its 1906 earthquake are notable exceptions), an insurer spreads the risk over a large number of properties and reduces its overall risk. The same is true for mortgage underwriters - the risk of default by any individual homeowner is spread among thousands of mortgagees, which helps to diversify away some of the risk. Companies that do not take proper precautions against fire prevention or are in businesses or locations that are more susceptible to burning down are likely to pay higher premiums or risk losing their insurance coverage altogether.
The reality is that markets are not frictionless and information is not perfect. Companies really don't know the level of information security risk they are undertaking and therefore cannot make the appropriate business decisions about the level of risk they should undertake. To further complicate matters the relationship between inadequate protection of information assets (information insecurity) and economic loss is not as well established. Companies are for the most part self-insuring (absorbing the economic loss as a cost of doing business) or simply going without and hoping that disaster does not strike.
Several forces are pushing the information (in)security model into a more managed and disciplined approach. First, regulations like the Graham-Leach-Bliley and Health Insurance Portability and Accountability acts in the United States are raising awareness of the state of information insecurity and the cost of non-compliance. Second, high profile incidents such as virus outbreaks and sensationalized stories of hacker attacks have raised security to the boardroom level. Finally, September 11 has put disaster recovery and business continuity planning on the front burner. After all, business continuity planning is another way of minimizing the risk and cost of downtime.
Companies are also responding by participating in security benchmarking studies that compare their security policies and practices with their competitors. This can help reduce the threat of lawsuits by adhering to a standard of "due care." The challenges with benchmarking studies are threefold:
- Direct competitors are reluctant to share the necessary information.
- Companies in the same industry and of a similar size do not always have the same risk profile.
- Companies tend to spend minimally on security in order to meet the "due care" standard, while the optimal expenditure to achieve business objectives may be much higher.
Business conditions are changing too rapidly for companies to build elaborate security and economic risk assessment models. However, there are things that can be done quickly and cost-effectively to better understand the impact of information security on economic risk assessment:
- Immediately review compliance with security standards in your industry. If none are directly applicable take a look at ISO 17799, which is starting to gain momentum as an industry standard.
- Review your business continuity and disaster recover plans in the context of information security - what would happen if a virus were to knock down a critical system for several days, for example?
- Review your information security policy (especially if it has not been reviewed within the last year) and try to plug any holes that may result in significant downtime to your business.
Sensationalism aside, companies are just beginning to recognize the true importance of information security to an organization, and not simply from the perspective of keeping virus files up to date and enforcing minimum password lengths. If information security is to become more business-centric it will require re-education of not only the IT and security staffs but also C-team (CFO, CEO, etc.) staff for awareness of the role that information security plays in accomplishing business objectives and managing risk.
Robert Lonadier is the president of RCL & Associates, a Boston-based analyst and consulting firm specializing in providing implementation-ready counsel and advocacy services to senior management in information security. He can be reached via email at firstname.lastname@example.org.