I'd recommend the following three books to keep around and read, re-read, reference, etc.
http://www.amazon.com/Complete-Risk-Assessment-Days-Less/dp/1420062751/ref=sr_1_4?s=books&ie=UTF8&qid=1293219978&sr=1-4http://www.amazon.com/Security-Risk-Assessment-Handbook-Assessments/dp/0849329981/ref=pd_sim_b_1http://www.amazon.com/Security-Metrics-Replacing-Uncertainty-Doubt/dp/0321349989/ref=sr_1_1?s=books&ie=UTF8&qid=1293220200&sr=1-1In fact, just about anything the Peltier writes is worth having. Security metrics is a must have book for security numbers management however, if you're into the IT (technology) then it will outright bore you to death. If you HAVE to or like to (don't know why), if you like to deal with security management, its worth having to aide you in coming up with decent, reasonable security metrics (math).
From my perspective, there is ONLY OBJECTIVE points of view, NEVER CAN IT BE SUBJECTIVE DO NOT BE FOOLED; OBJECTIVE POV's when it comes to security management/risk metrics. That of the AV * EF = (*cough*bull*cough) SLE
Fuzzy math. Here is the breakdown, followed by my bastardization of the breakdown:
* AV = Asset Value (Expressed in dollars)(
http://en.wikipedia.org/wiki/Asset)
Try understanding how to define an asset when your infrastructure is in the cloud will you. What shall you say is your asset value then, the cost of the cloud computing service you're paying for.* EF = Exposure factor (Expressed as a percentage of the asset value)See above. What shall you do when you're cloud provider doesn't allow you to perform a vulnerability OR penetration test against your virtualized instance. You could NEVER get a concrete number on this.* SLE = Single Loss Expectancy (It can be defined as the monetary value expected from the occurrence of a risk on an asset.)But if you're not allowed to perform proper Risk Assessments on what will you be basing your number?* ALE = Annual Loss ExpectancyYawn* ARO = Annual Rate of Occurrence (Number of exposures or incidents that could be expected per year)Yawn...So my example is as follows... I have an Amazon EC3 host which provides email service. This generates for me approximately 10,000.00 per year. The total cost for me to have this EC3 instance is $25.00 per month (300.00 per year). It cost me a one time charge of 100.00 to configure and a recurring 10.00 per month to maintain. So far I am spending $420.00 per year. I'll set my asset value at $500.00 to be fair. EC3 is not a tangible asset and can be replaced at the whopping cost of 120.00. There are other fees associated with the setup I could throw in the mix. Cost of salary associated with the programmers and developers who'd have to do the work and so on. In a nutshell, fuzzy math, it's whatever I want it to be (OBJECTIVE) even though I can use SUBJECTIVE numbers (25.00 * 12)
AV = 120.00
EF = 10% (because its Amazon, they WON'T let me pentest in a multitenant cloud... I don't and WON'T have real security metrics)
SLE = 1,200.00
ARO = How humorous is that... ARO. "Gee, I'm hoping to not get owned 2x this year. But because its Amazon and out of my control, I can't outright fix things, 2x per year I expect this happening" So my ARO is 2,400.00
Would it be save to say that I should spend $240.00 to protect myself? $240.00 to protect myself... I'm making 10,000.00 per year from this venture. Anyhow, risk management metrics is an art, not a proven science. While there are some measurables to be obtained from risk management, the fact is as quoted in the past: "There are lies, damned lies and statistics"
AV * EF = SLE is flawed for technology from my POV because there are too many variables to throw into the equation:
From OWASP:
AV x EF = SLE
If our Asset Value is $1000 and our Exposure Factor (% of loss a realized threat could have on an asset) is 25% then we come out with the following figures:
$1000 x 25% = $250
So, our SLE is $250 per incident. To extrapolate that over a year we can apply another formula:
SLE x ARO = ALE (Annualized Loss Expectancy)
The ALE is the possibility of a specific threat taking place within a one-year time frame. You can define your own range, but for convenience sake let's say that the range is from 0.0 (never) to 1.0 (always). Working on this scale an ARO of 0.1 would indicate that the ARO value is once every ten years. So, going back to our formula, we have the following inputs:
SLE ($250) x ARO (0.1) = $25 (ALE)
Therefore, the cost to us on this particular asset per annum is $25. The benefits to us are obvious, we now have a tangible (or at the very least semi-tangible) cost to associate with protecting the asset. To protect the asset, we can put a safeguard in place up to the cost of $25 / annum.
Looking at OWASP's (
http://www.cgisecurity.com/owasp/html/ch03.html) interpretation of it makes sense no? How about we define some more threats...
Loss of power = threat ... Sometimes even Colo's go down
Loss of connectivity = threat ... Anonymous' attacks via Mastercard/Visa shows this threat...
How do you calculate these risks/threats. You don't. That is, according to the rules of the game you don't:
You can define your own range, So what is the value of these metrics at the end of the day when you
CAN'T truly calculate risk. All you can do is offer qualitative metrics (but that is an altogether 'nother story (Qualitative versus Quantitative)
http://wilderdom.com/research/QualitativeVersusQuantitativeResearch.html)
