The Risk Equation

When interviewing me for security-related stories, reporters frequently ask me to describe the primary goal of information security in terms everyone can understand. Here's what I say: Infosecurity is about mitigating risk. Of course, there are many ways to define and evaluate risk, and many subtle and substantial differences in the application of risk-related terms.

The most effective way I've found to define risk is with this simple equation:

Risk = Threat x Vulnerability x Cost
This equation is fundamental to all that we do in information security. But before we discuss the equation itself, let's take a look at these terms individually.

Threat is the frequency of potentially adverse events. Since threat (by this definition) is always a frequency, it's always potentially measurable. And since the events are only potentially adverse, threat per se is not necessarily dangerous or detrimental.

Here are some examples. The threat rate of southern California earthquakes greater than 4 on the Richter Scale is 21 per year. The threat rate of hurricanes hitting Florida is 1.4 per year. The threat rate of insiders who use somebody else's logged-in PC to inappropriately access restricted information is approximately four per 1,000 users per day. The threat rate of virus encounters by a 1,000-PC organization is 88 per day. The threat rate of "attack-related scans" against a single IP address is seven per day. And so on.

Threat rates can be categorized into "global threat rates" and "local threat rates." A local organization's geography, status, political stance or any other factor may expose it to more or less threat than that of the global rate. The key to thinking about this is to determine--or at least estimate--the rate of whatever threats face your organization. Of course, many threat rates change constantly, particularly those driven by humans.

Vulnerability is the likelihood of success of a particular threat category against a particular organization. Notice that if this were the likelihood of success of a particular attack (e.g., the Ping of Death) against a particular machine, the likelihood would be either 0 or 1 (0 percent or 100 percent). But since we are concerned about vulnerability at an organizational level (with, say, 1,000 PCs and 50 servers configured and architected in a particular way) to an entire class of threat, binary terms don't work. Instead, vulnerability has to be quantified in terms of a probability of success, expressed as a percent likelihood.

The likelihood of success is not easy to measure, but a related term, "vulnerability prevalence," is. Vulnerability prevalence is simply the number of machines of a particular type (say, NT-based Web servers running IIS that are exposed to the Internet) that exhibit a particular vulnerability.

Many factors work together to make some, but not all, machines vulnerable in their current environment--even if the software, hardware and data is identical across machines. Router rules, firewall configuration, proxy settings, NAT, location on a subnet, OS type, co-existence of other running processes, existence of data of certain types, existence of sample code or files, secondary connections of certain types-these factors and many others change the likelihood of success of a particular threat.

Cost is the total cost of the impact of a particular threat experienced by a vulnerable target. Hard-dollar costs are measured in terms of "real" damages to hardware or software, as well as quantifiable IT staff time and resources spent repairing these damages. Semi-hard costs might include such things as lost business or transaction time during a period of downtime. Soft costs include such things as lost end user productivity, public relations damage control, a decrease in user or public confidence or lost business opportunities.

For the two weeks before and after the Melissa virus catastrophe in 1999, TruSecure did a study where the person most responsible for virus security in 300 organizations was asked to assess the cost of his or her company's "most recent virus event." Nearly one in five companies in the survey said their most recent virus event was Melissa. Of these companies, 79 percent experienced a "disaster" from it. The average "disaster" company had 1,120 employees and averaged 196 infected PCs and 8.7 infected servers (including e-mail, e-commerce and other servers) per site, which were down for an average of two days. Yet the average technician whose company experienced a disaster related to Melissa said the organizational cost was only $1,700. The actual total costs were probably more than seven-fold higher. Why? Because almost none of the technicians surveyed added in second-order hard costs or semi-soft or soft costs.

It's not threat, vulnerability or cost alone that really matters, but risk. As you can see from the risk equation, for there to be any risk there must be at least some threat and vulnerability and cost. The concept we all learned in sixth grade-that anything multiplied by zero is zero-means that if any one of the three components of risk is zero, then the risk is also zero.

This concept is handy when evaluating a vendor's or the media's suggestion that "XYZ risk" must be addressed. If you can determine that XYZ risk poses no threat to your organization-or if you determine that your organization is not vulnerable to it-or that if it is vulnerable to it, the cost of fixing or repairing the problem is zero -you automatically know that XYZ risk doesn't pose a risk to your organization.

In most instances, you won't be able to say for sure that any of the three risk factors is zero. Instead, you'll need to measure each component of risk. For instance, let's say you want to determine if your intranet Web server is vulnerable to the "gichagoombi" attack, and if so, the level of the threat. To do this, you need to evaluate the threat rate in other spheres (like the Internet), and determine how that translates to your intranet. What tools, knowledge and access are required to make it a threat? What human motivation is necessary? Who in your company has all the ingredients (tools, knowledge, access, motivation) to exploit the vulnerability? By drilling down into each component, you'll very often conclude that there's no risk-or at least no imminent risk-because at least one component of risk is zero or near zero.

Vulnerability is often the first thing to address, since that's where you typically have the most control. There are always many places where you can at least partially reduce vulnerability, and do so easily and inexpensively. We call these partial solutions "synergistic controls." They are overlooked by almost everyone, but are exceedingly useful, especially when used together with other synergistic controls.