What are ways to measure security risks, threats and vulnerabilities?

Risk = Threat x Vulnerability x Cost

Threat is the frequency of adverse events. Vulnerability is the likelihood that a particular attack will be successful, and cost is the total economic impact of a successful attack. A lot of folks have different ways to quantify risk -- investors, actuaries and security professionals all have different opinions -- but this definition is sufficiently simple for a rock head like me, so let's go with it.

You need to quantify your security environment (which is threats and vulnerabilities) and then calculate the cost to derive your risk exposure. In reality, you can spend a lifetime trying to build a sophisticated, PhD-level model and still be wrong. Basically, you are making assumptions on top of assumptions on top of assumptions.

I'm a fan of simplicity, and I suggest folks take a more qualitative approach to quantifying anything related to security. Much of this is laid out in my book, The Pragmatic CSO, but here is the abridged version.

To start, figure out what's important, focusing on cost. What business systems are most critical to your organization? Who uses them? What is their time worth? Once you have an idea of the most critical systems, then figure out the most likely threats to those systems. Are they vulnerable to cross-site scripting attacks? Or a brute force DDoS assault? Use these findings to develop a realistic estimate of how likely it is that such attacks, if successful, could take down those critical systems.

Ultimately, try to establish if it makes sense to implement a new process or install a new product, and figure out which knobs that specific product will affect. Will installing a Web application firewall reduce the likelihood of a XSS attack on your critical application? If yes, to what degree? Take a guess. Will that affect the frequency of the attack? (Nope. The only way to do that is to take the system offline, so that number stays the same in this case.) This approach will allow you to get an "apples-to-apples" comparison of different options and figure out what will yield the greatest reduction in risk.

I am not a big fan of simply counting things. The taxonomy I described will allow you to weigh certain decisions against others by using the only metric that's important: the risk to your critical business systems.

Rate this Tip To rate tips, you must be a member of SearchMidmarketSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Risk assessments and metrics Midmarket security managers must push risk acceptance to the business Midmarket security governance: Develop an IT engagement model Assess your security state in five steps Questions to ask when choosing your managed security service provider Is there a way to integrate business continuity planning and operational risk management? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary risk analysis  (SearchMidmarketSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.