A popular expression in security circles is to equate critical company intellectual property with the crown jewels. That comparison is apt in more ways than one. I've visited the Tower of London and the crown jewels. The crown jewels are protected by many layers of security, but the truth is that they make very poor targets for theft because they are far too distinctive to fence. To sell such items, a thief would have to take great risks and heavy discounts. If someone was holding the queen hostage, they'd more likely ask for "nonsequential unmarked bills" that the crown jewels. Any item, whether tangible like the crown jewels or intangible like your company's latest flying car design is only worth what a buyer will offer. If the market for such an item is too small or the risk of laundering too high, the item will have to be heavily discounted. Yet, in most information security risk-assessment methodologies we measure the loss impact for the company and ignore the gain potential for the thief.
The impact of a loss is a very important component of the risk assessment because it allows us to compare cost and benefit of securing an asset. But equally important is the other cost-benefit that occurs in the mind of a cybercriminal. In selecting which targets to attack, the criminal must consider the fully discounted value of the asset based on how easy it is to monetize it. So the flying car design has only a handful of potential buyers and leaves a trail because its source is easy to identify. So if I'm the attacker I will go for the asset that is most like small unmarked bills. In most companies that is either cash and financial instruments or the identities stored in various databases. The identity theft market is large and growing very fast. Identities can be sold for US$14 to US$18 in black markets, with anonymity and plenty of buyers.
When companies are trying to decide how much to invest in security and which assets to protect, they rely on a risk assessment that multiplies the impact of a loss with the probability of a loss. In turn, the probability of a loss depends on the rate of attacks and the vulnerability of the asset. So while we can calculate the relative vulnerability of our assets, how do we rate the probability of an attack? Most models use statistics based on reported attacks. But a better way to rank assets by probability of attack is to consider their resale discount rate -- the cost of monetizing those assets in a black market. While we're focused on protecting the flying car design, our HR database is like a pile of cash, enticing and easy to trade. Perhaps we need to re-assess risk by incorporating the motives of the attacker.
- +
9 Paths to Higher Performance 10/12/2007 14:09:23
When an organization brings together talented people in a creative, collaborative environment it fosters a culture of high performance, which in turn leads to superior business resultsLike high-achieving individuals, some organizations seem to have the Midas touch. Virtually every initiative they touch earns them gold and even those that fail never seem to cost them much of anything at all - +
Ticked Off at Tick the Box Mentality 04/02/2008 13:01:15
Does your executive search firm know the difference between an MIS manager and a CIO, and if it does, can it explain that difference to its corporate clients?Does your executive search firm know its MIS managers from its elbow? Does it even know the difference between an MIS manager and a CIO, and if it does, can it explain that difference to its corporate clients?
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Controlling storage costs with Oracle database 11g
The state of Middleware
Gaining Competitive Advantage Through Enterprise Planning
Achieving the impossible: Unlimited application scalability
Solve Exchange Mailbox Storage Issues Once and for All
Taking On Demand CRM Integration to the Next Level
Business Intelligence and Enterprise Performance Management: Trends for Emerging Businesses
Strategies for Eliminating .PST Files
Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
Virtual magic: HR specialist throws out 40 servers, adds 8TB SAN and saves $100,000 for disaster recovery 2008-12-01 15:28:00+11
Sybiz adds up for SMEs in downturn 2008-12-01 14:27:00+11
EXCOM scores back-to-back award trifecta 2008-12-01 10:46:00+11
Citect extends SCADA networks with mobility solutions 2008-12-01 09:48:00+11
Citect extends SCADA networks with mobility solutions 2008-12-01 09:48:00+11
Best Practice in Building an Integrated Information Management Strategy
Discover the business value that creating an integrated information platform can bring. Learn how to provide consistent, accurate information to all stakeholders within your business network. Integrate vital data from disparate sources and deliver a trusted information foundation. Read on to uncover the stepping-stones to your new information management strategy.
Buying Guides
Latest Products
Buying Guides
