Few would argue against an assertion that information security is important for the information age. Indeed security ranked as the top 2005 business priority by 82% of 300 business technology managers polled by Information Week. Security is such an essential attribute of information technology that it is considered by some to be a key business enabler for the global economy. But despite the priorities, the high visibility, and the monumental growth in the information security industry, security losses and cyber attacks are still a crippling problem for information systems.
Security losses are a crippling problem for information systems, often because of poor security investment decisions. To make well informed decisions, there is a need for information security risk management benchmarking that requires the availability of industry-wide data on security breaches and losses. One reason for the non-availability of such data is that often the disclosure of such data carries the risk of damage to the reputation of the organization.
Also, another problem limiting success of security measures in current systems is not only the technology for information security but also lack of knowledge on information security risk management. Information Technology (IT) departments may create a false sense of security by overspending in some areas, such as large purchases of security technology and software, while overlooking other areas, such as staff quality and management. Overall, one result may be an under investment in information security despite the high priority. These poor security investment decisions are often the result of inadequate research in areas like security economics and risk assessment.
Many current practices in information risk assessment exemplify this lack of objective knowledge on information security risk management. Often, risk measurements can include a mix of vulnerability data and unquantifiable gut feelings that are difficult to analyze and do not satisfy financial officers. While many people recognize that security is a capital investment decision, and as such should be viewed as a cost-benefit determination, the economic analysis used by many executives lacks formal quantification and is inhabited by pre-defined security budgets, perceptions of best practices, and “must-do” requirements of regulations and auditors. These management practices can make information security more of a “folk art” than a profession. Clearly, managers of information systems should progress beyond the “gut feel” approach to information security, and use metrics to prioritize security threats and vulnerabilities. The development of such metrics typically requires the availability of empirical information that includes internal and external data, of both historical and forecast types on security breaches and losses. Without this basic data, objective risk analysis is impractical.
There are intractable problems that block the development of empirical databases of security risk information. One problem is the lack of agreed terminology and labels for the underlying concepts being measured. The terms in the information security lexicon are generally neither precise nor distinct. For instance, terms like incident, threat, risk, vulnerability, and control are often used differently by various authorities, making it difficult to collect basic metrics for counting events when the terms are imprecise.
A second problem is that basic data is often unavailable because the events being described by the data represent reports of security breaches and losses. There are often dangers to organizations that disclose or share this data. For instance, public disclosures of such breaches are not merely embarrassments, but may damage the reputation of the organization. Moreover, for commercial organizations, this may lead to capitalization losses. Attempts to share this data privately among industry groups may violate anti-trust laws designed to deter collusion among competitors, and where government organizations participate, may become publicly exposed through freedom-of-information laws. As a result, disclosures may be inhibited.
Despite these problems, information security management remains as essentially a risk reduction program. To manage risks, risks are typically measured. Metrics are therefore important to information security management, and the intractable problems described above should be solved. Not surprisingly, quantitative information systems risk management was identified by the Computing Research Association in 2004 as one of the four “grand research challenges in information security and assurance.”
Recapping, two basic problems in risk management are identified above, namely that of imprecise data and disclosure inhibitions. Disclosure inhibition is often an inner impediment to the free expression of information. A responsible organizational action may serve to prevent expected or unexpected damages as a reaction to the disclosure. One way to define the underlying problem is by using the “The Law of Private Data Disclosure,” which can be expressed as follows:Private Data Disclosure(IMPLIES) RiskThat is, information disclosure implies a risk to the discloser. The risk may vary in scale from trivial to fatal, but most if not all disclosures involve risk.