Security Trade-Offs
An essay by an anonymous CSO. This is how it begins:
On any given day, we CSOs come to work facing a multitude of security risks. They range from a sophisticated hacker breaching the network to a common thug picking a lock on the loading dock and making off with company property. Each of these scenarios has a probability of occurring and a payout (in this case, a cost to the company) should it actually occur. To guard against these risks, we have a finite budget of resources in the way of time, personnel, money and equipment—poker chips, if you will.
If we’re good gamblers, we put those chips where there is the highest probability of winning a high payout. In other words, we guard against risks that are most likely to occur and that, if they do occur, will cost the company the most money. We could always be better, but as CSOs, I think we’re getting pretty good at this process. So lately I’ve been wondering—as I watch spending on national security continue to skyrocket, with diminishing marginal returns—why we as a nation can’t apply this same logic to national security spending. If we did this, the war on terrorism would look a lot different. In fact, it might even be over.
The whole thing is worth reading.
Cypherpunk • April 22, 2005 1:10 PM
Microsoft uses the DREAD model to rank threats for severity. This is for software but it could apply to physical threats as well. They recommend grading each threat on a 3 point scale for each category, and summing the results. This gives a crude but helpful measure to guide remediation efforts.
Damage potential: How great is the damage if the vulnerability is exploited?
Reproducibility: How easy is it to reproduce the attack?
Exploitability: How easy is it to launch an attack?
Affected users: As a rough percentage, how many users are affected?
Discoverability: How easy is it to find the vulnerability?