The Risk Equation
By Peter Tipett
When interviewing me for security-related stories, reporters frequently
ask me to describe the primary goal of information security in terms
everyone can understand. Here's what I say: Infosecurity is about
mitigating risk. Of course, there are many ways to define and evaluate
risk, and many subtle and substantial differences in the application
of risk-related terms.
The most effective way I've found to define risk is with this simple
Risk = Threat x Vulnerability x Cost
This equation is fundamental to all that we do in information security.
But before we discuss the equation itself, let's take a look at
these terms individually.
Threat is the frequency of potentially adverse events. Since threat
(by this definition) is always a frequency, it's always potentially
measurable. And since the events are only potentially adverse, threat
per se is not necessarily dangerous or detrimental.
Here are some examples. The threat rate of southern California
earthquakes greater than 4 on the Richter Scale is 21 per year.
The threat rate of hurricanes hitting Florida is 1.4 per year. The
threat rate of insiders who use somebody else's logged-in PC to
inappropriately access restricted information is approximately four
per 1,000 users per day. The threat rate of virus encounters by
a 1,000-PC organization is 88 per day. The threat rate of "attack-related
scans" against a single IP address is seven per day. And so
Threat rates can be categorized into "global threat rates"
and "local threat rates." A local organization's geography,
status, political stance or any other factor may expose it to more
or less threat than that of the global rate. The key to thinking
about this is to determine--or at least estimate--the rate of whatever
threats face your organization. Of course, many threat rates change
constantly, particularly those driven by humans.
Vulnerability is the likelihood of success of a particular threat
category against a particular organization. Notice that if this
were the likelihood of success of a particular attack (e.g., the
Ping of Death) against a particular machine, the likelihood would
be either 0 or 1 (0 percent or 100 percent). But since we are concerned
about vulnerability at an organizational level (with, say, 1,000
PCs and 50 servers configured and architected in a particular way)
to an entire class of threat, binary terms don't work. Instead,
vulnerability has to be quantified in terms of a probability of
success, expressed as a percent likelihood.
The likelihood of success is not easy to measure, but a related
term, "vulnerability prevalence," is. Vulnerability prevalence
is simply the number of machines of a particular type (say, NT-based
Web servers running IIS that are exposed to the Internet) that exhibit
a particular vulnerability.
Many factors work together to make some, but not all, machines
vulnerable in their current environment--even if the software, hardware
and data is identical across machines. Router rules, firewall configuration,
proxy settings, NAT, location on a subnet, OS type, co-existence
of other running processes, existence of data of certain types,
existence of sample code or files, secondary connections of certain
types-these factors and many others change the likelihood of success
of a particular threat.
Cost is the total cost of the impact of a particular threat experienced
by a vulnerable target. Hard-dollar costs are measured in terms
of "real" damages to hardware or software, as well as
quantifiable IT staff time and resources spent repairing these damages.
Semi-hard costs might include such things as lost business or transaction
time during a period of downtime. Soft costs include such things
as lost end user productivity, public relations damage control,
a decrease in user or public confidence or lost business opportunities.
For the two weeks before and after the Melissa virus catastrophe
in 1999, TruSecure did a study where the person most responsible
for virus security in 300 organizations was asked to assess the
cost of his or her company's "most recent virus event."
Nearly one in five companies in the survey said their most recent
virus event was Melissa. Of these companies, 79 percent experienced
a "disaster" from it. The average "disaster"
company had 1,120 employees and averaged 196 infected PCs and 8.7
infected servers (including e-mail, e-commerce and other servers)
per site, which were down for an average of two days. Yet the average
technician whose company experienced a disaster related to Melissa
said the organizational cost was only $1,700. The actual total costs
were probably more than seven-fold higher. Why? Because almost none
of the technicians surveyed added in second-order hard costs or
semi-soft or soft costs.
It's not threat, vulnerability or cost alone that really matters,
but risk. As you can see from the risk equation, for there to be
any risk there must be at least some threat and vulnerability and
cost. The concept we all learned in sixth grade-that anything multiplied
by zero is zero-means that if any one of the three components of
risk is zero, then the risk is also zero.
This concept is handy when evaluating a vendor's or the media's
suggestion that "XYZ risk" must be addressed. If you can
determine that XYZ risk poses no threat to your organization-or
if you determine that your organization is not vulnerable to it-or
that if it is vulnerable to it, the cost of fixing or repairing
the problem is zero -you automatically know that XYZ risk doesn't
pose a risk to your organization.
In most instances, you won't be able to say for sure that any of
the three risk factors is zero. Instead, you'll need to measure
each component of risk. For instance, let's say you want to determine
if your intranet Web server is vulnerable to the "gichagoombi"
attack, and if so, the level of the threat. To do this, you need
to evaluate the threat rate in other spheres (like the Internet),
and determine how that translates to your intranet. What tools,
knowledge and access are required to make it a threat? What human
motivation is necessary? Who in your company has all the ingredients
(tools, knowledge, access, motivation) to exploit the vulnerability?
By drilling down into each component, you'll very often conclude
that there's no risk-or at least no imminent risk-because at least
one component of risk is zero or near zero.
Vulnerability is often the first thing to address, since that's
where you typically have the most control. There are always many
places where you can at least partially reduce vulnerability, and
do so easily and inexpensively. We call these partial solutions
"synergistic controls." They are overlooked by almost
everyone, but are exceedingly useful, especially when used together
with other synergistic controls.