Statements We Make When We’re Out Of Touch With Risk

Filed by Alex | 12 comments


  • You’re out of touch, I’m out of time

    Found a quote through Dan Sullivan (via Mike Rothman) in his post “Compliance is Less Expensive Than Data Breaches” Dan’s post was based on(this) Computerworld article. The quote from the Computerworld article:

    Implementing security is cheaper in the long run than having a data breach, which can be expensive and hurt a company’s reputation. Gartner calculates that a data breach costs companies around $300 per exposed account because of investigations, fines and lawsuits. On the other hand, beefing up security costs around $16 per account for the first year, and that cost falls over time, according to Litan.

    Oh, if only it were that simple.

    If someone tells us that “Breaches are more expensive than your security budget”, you know what our response should be?

    Well Duuuuuhhhhh.

    That’s the same FUD that stopped working sometime last century. I would hope that everybody’s already figured that one out, and frankly I’d be pretty ticked off if I were paying an analyst firm for that nugget of wisdom.

    What most in our industry haven’t figured out is whether the probability of a breach is enough to warrant excessive security spending above and beyond the risk tolerance of the business owner. That’s the job of risk analysis and risk management functions. Speaking of risk and spending…

    COMPLIANCE DOESN’T LOWER YOUR RISK, IT RAISES IT

    For most people, that is. I’ve been talking about the”compliance feedback loop” recently. In a simple statement:

    Compliance, purportedly created to lower risk, has a tendency to actually increase it. And the more compliance I face, the more risk I actually have.

    I know that when you think about it, this all seems common sense, but it’s important to note that thanks to FAIR we can actually study the quantitative impact of compliance on risk and develop thresholds at which compliance develops limited return in risk reduction when compared to our investment.

    Maybe I should build a little web application that compares investment to risk reduction. I could call it, “Is This Checkbox Worth It?”

    When I say compliance, of course, I’m talking about the kind that comes from governments and industry (PCI). You see, in FAIR terms, probable magnitude of loss is developed from the six loss forms of loss:

    productivity/response/replacement - competitive advantage/fines & judgements/reputation

    So essentially, fines & judgments due to “compliance” will increase the probable magnitude of loss. In real world risk studies, many times that increase is dramatically more than even the sum of the other five loss factors.

    Now, if compliance does not significantly increase the strength of our controls to the extent that they significantly reduce the frequency of loss events, then the presence of those fines and judgments are like a self-fulfilling prophecy. If I can abuse the economic term, it’s kind of a controlled market for risk tolerance.

    To further abuse economics, excessive compliance to government/industry standards like PCI make incidents more expensive than their “market price”. So when you consider the ramifications - we’ve created a self-propagating industry! Unfortunately like most bubbles that exceed true market values, this bubble will ultimately burst and if you believe the dark, foreboding prognostication, the future for us is either a low level network admin or a legal assistant (more on that future, in a later blog post).

    DON’T PLAY THE REPUTATION CARD (IF YOUR AUDIENCE IS SMART)

    Finally, I have a really tough time with this statement made in that article:

    “a data breach, which can be expensive and hurt a company’s reputation.”

    Really? I’d love to see empirical data that suggests a breach, any breach, resulted in long term reputation damage (measured in sales volume or stock price, of course) for a B2C company.

    Speaking of data, risk and studies - tomorrow let’s tackle the “ajillion% of all attacks are from insiders” from a risk standpoint - shall we?

    Posted on July 3

    • 12 comments

    1. Chris Jul 3

      Well, the VA got breached and recruitment figures are down. Doe that count? :^)

      Seriously, this “living as a quadraplegic costs more than looking both ways when you cross the street” wisdom would be funny if, instead of just fluff in the trade press, it hadn’t been part of expert testimony before congress.
      (http://www.itnews.com.au/newsstory.aspx?CIaNID=33396&src=site-marq)

    2. shrdlu Jul 3

      Sounds like it’s time for some Adult Education … (it’s a bad situation) ;-)

    3. Adam Jul 3

      Damnit Alex, if you go telling people not to talk about reputation, how am I supposed to decide if a speaker is a bozo? It’s so easy until you tell people that.

    4. Alex Jul 3

      @Chris - Encryption is one of those controls that absolutely destroys the probability of a loss event. And, as the article points out, it’s pretty cheap (comparatively). If you ever get a chance to talk to Jack Jones about the Control Framework, you’ll become a huge believer.

      @ Shrdlu - That’s not right. I have to go wash my mind out now.

      @ Adam - Hah! Given our readership numbers, I doubt you have anything to worry about anytime soon. It’s not like we’re EmergentChaos or anything :)

    5. Rob Newby Jul 4

      I’ve talked about reputation a few times over on PCI Answers, as it’s one of those topics which is inextricably linked. It’s worrying to note that in many cases a company’s stock actually goes UP after a breach, the extra publicity, chance to say “we were caught doing it wrong, but now we’re doing it extra right”, etc. works well in favour of a big breachee. Choicepoint cashed in on this phenomenon recently with several articles in the press.

      Another thing I’ve bitched about recently is sales bullshit, which is where the 99.99999% of attacks are internal comes from. It’s easy to lie with statistics, even if you CAN prove them. For example, there was an RSA PCI survey done recently, where if you read the small print you found that the sample was taken from about 20 RSA PCI customers who had replied to the survey about PCI on the RSA website whilst it was up for 3 days in January or some such rubbish.

      Great picture of Hall and Oates by the way. Makes you wonder why the mullet didn’t become a permanent fashion statement.

    6. Alex Jul 4

      Rob,

      That second paragraph you wrote? You’ll love tomorrow’s post.

      And who says the mullet *isn’t* a permanent fashion statement.

    7. Rob Newby Jul 4

      Here you go, have a read of this entry and use what you like.

    8. shrdlu Jul 5

      “Encryption is one of those controls that absolutely destroys the probability of a loss event. And, as the article points out, it’s pretty cheap (comparatively).”

      Mneh. Not so sure here, pilgrim. You can have a four-inch-thick solid oak door, but if you can still pry it open with a credit card, it’s a weak control. Ditto encryption with a weak password protecting the key (or, even worse, “single sign-on” — *ick*shudder*). There are so many ways to use encryption wrongly that I don’t automatically buy your assertion.

    9. Alex Jul 5

      Hey Your Shrdlusness :)

      What, you want me to qualify everything by saying “when properly implemented”? LOL

      Encryption has been so misused, abused and excused that I’m starting to think that it really *is* a munition.

      As a control, we can quantify the various effects of encryption. It decreases the ability of an attacker to contact our data, it raises the level of effort required to gain access to our data, and good encryption controls can even give us visibility into our capability to detect and respond to a threat event. However, as you rightly suggest, this is all predicated on a good implementation.

      Perhaps there is a significant risk to implementing this control! We should study it…

    10. Rob Newby Jul 8

      I’m an old man in encryption terms, and I’ve seen some pretty stupid things done with it. What’s more important these days is key management, which is where Decru made such a killing selling out to NetApp, and Ingrian have now switched their focus (and CEO).
      The real issue of encryption is that it is misunderstood. It is not the catch all that people suppose it to be. Just because my information is encrypted, does not mean that it can’t be changed. It does not mean there are not weak access controls, authentication, accounting, etc. Encryption is a key element of data security, for sure, but more is needed, and when people start to understand that, we will see more interesting developments here.
      When business allows it of course.

    1. Impact of security breach on reputation is unmeasurable - or is it?
    2. The "Insider Statistic", Good Data, & Risk | RiskAnalys.is

    Leave a reply