Sun Tzu once said, “if you know your enemies and know yourself, you can win a hundred battles without a single loss.”
Security geeks preach the value of understanding your technology, as well as vulnerabilities of that technology. We attend BlackHat and DefCon every year in attempt to learn something more from the other side of the road – the theory being that if we can learn more about the way “they” think than maybe we can be better prepared to protect against “them”.
There is value in that, but at the same time, we should be reinforcing the need for organizations to understand themselves. Security basics are security basics for a reason. Classical security says to start with a security policy that says what you really want to do, and then base your security program off of that. One of the first steps you have in a formal security program is the Risk Analysis, closely followed by the Business Impact Assessment. But is there another step in here that helps improve how well you know yourself?
You may find some value in adding risk profiling as part of your overall Risk Analysis. The theory is that some organizations simply have a higher overall risk profile than other companies. Intuitively, people know this, but we don’t always think of it as such. I mean, if I describe two companies, maybe you can tell me who has the larger risk profile – so which one inherently carries the greater chance that they will be subjected to a breach or other incident. Both companies have 12,000 employees. Both are $2 Billion companies. Company A is a centralized manufacturing company, who builds everything in one plant in Kentucky, and sells all of their goods through distributors to retailer around the country. Company B is a highly distributed bank, with small branches spread across the southeastern region of the country. They issue and support credit cards, and support online banking, including a new banking app for your iPhone.
I think the obvious answer is that Company B has inherently more risk. But, can we quantify that analysis?
Complete the quiz below, keeping track of your adds and subtracts as you go. The identified issues and scoring system are obviously not comprehensive, but will provide you with feedback on building a risk profile. You will note that for a significant number of these, you simply cannot eliminate them – you simply have to know the concern exists, and decide how you manage the risk that they add to your environment. If you don’t fit the criteria listed, just enter 0, then check your results at the end.
|
Sizing and Structure |
||
|
____ |
1.1 |
If your organization is smaller than 100 staff (including employees, interns, temps, etc.) +1 If your organization is larger than 20,000 staff +1 If your organization is larger than 85,000 staff +3 |
|
____ |
1.2 |
If your organization is in the Fortune 100 +1 |
|
____ |
1.3 |
If your organization has a dedicated security staff -2 |
|
____ |
1.4 |
If your organization’s dedicated security staff is at least 10% of the size of the organization’s IT department -2 |
|
____ |
1.5 |
If your organization has a dedicated Internal Audit group, separate from Systems and Security -2 |
|
____ |
1.6 |
If your organization has a formally defined Compliance Officer -2 |
|
____ |
1.7 |
If your organization’s formally defined Compliance Officer is either a “C” or reports directly to a “C” -2 |
|
Centralization |
||
|
____ |
2.1 |
If your organization is widely distributed geographically, such as including significant operations in multiple states +2 If your organization includes international operations other than “sales” +3 |
|
____ |
2.2 |
If your corporate headquarters buildings are NOT co-located (for instance, HQ is in Baltimore, but you have two HQ buildings, one by the beltway, and one by the Inner Harbor) +1 |
|
____ |
2.3 |
If your corporate headquarters includes executives in same building as a significant percentage of your workforce -1 |
|
Stability |
||
|
____ |
3.1 |
If your organization had any layoffs in the last 24 months +1 If your organization had any layoffs in the last 3 months +2 |
|
____ |
3.2 |
If your organization expects to have layoffs in the next six months +3 |
|
____ |
3.3 |
If your organization’s headcount has grown or shrunk in size by more than 25% in the last year (for any reason) +1 |
|
____ |
3.4 |
If your organization has an active technology training program that allows technical IT and security employees to remain trained in current technology -2 |
|
____ |
3.5 |
If your organization has had a merger or acquisition in the past 24 months +1 |
|
____ |
3.6 |
If your organization size (staff or revenue) has increased 100% or more due to M&A activities during the past 24 months +2 |
|
____ |
3.7 |
If your organization is “for sale” and is actively wooing buyers +1 |
|
____ |
3.8 |
If your organization has had a strike in the past 12 months +1 |
|
____ |
3.9 |
If your organization does not create positive revenue +1 |
|
Workforce |
||
|
____ |
4.1 |
If your organization workforce is more than 75% male +1 |
|
____ |
4.2 |
If your organization pays at or below average salary in your industry in your geographic region +2 |
|
____ |
4.3 |
If your organization performs background investigations on key employees -2 |
|
____ |
4.4 |
If your organization actively recruits locally -1 |
|
Client/Customer Base |
||
|
____ |
5.1 |
If your organization’s customer/client base is male +1 |
|
____ |
5.2 |
If your organization’s customer/client base is high tech +1 |
|
____ |
5.3 |
If your organization’s customer/client base is heavy in the 18-30 year old demographic +1 |
|
Competitive Environment |
||
|
____ |
6.1 |
If your organization is in a highly competitive industry +2 |
|
____ |
6.2 |
If your organization has lost an employee to a competitor, OR hired from a competitor within the past 12 months +1 |
|
____ |
6.3 |
If your organization shares partners and vendors with competition +1 |
|
Hacktivism/Breaches |
||
|
____ |
7.1 |
If your organization has been in the news for negative reasons within the last year +1 If your organization has been in the news for negative reasons within the last three months +2 |
|
____ |
7.2 |
If your organization has an active counter culture who protests against you, for instance, protestors picketing buildings, or a negative derivation of your website exists +1 |
|
____ |
7.3
|
If your organization has been subject to an active hacktivist initiative at any time within the past 12 months +5 |
|
____ |
7.4 |
If your organization has had an incident involving the loss or compromise of information 4-9 months ago -2 |
|
____ |
7.5 |
If your organization has had an incident within the past three months, OR but more than 12 months ago +1 |
|
Industry Impact |
||
|
____ |
8.1 |
If your organization is considered part of the “Critical Infrastructure” +2 |
|
____ |
8.2 |
If your organization is military, or federal, state, or local government +2 |
|
____ |
8.3 |
If your organization is a non-profit or charity -1 |
|
____ |
8.4 |
If your organization is the banking/financial industry +3 If your organization is in the healthcare industry +2 If your organization is involved in nuclear energy +1 |
|
Business Impact |
||
|
____ |
9.1 |
If your organization has completed a formal BIA within the past 12 months -7 |
|
|
||
|
____ |
Total Risk Profile
|
|
|
Score |
Results |
|
Less than -5 |
This is a good risk profile. You have a lower probability of experiencing an incident or breach than most organizations. |
|
-5 to +8 |
This is a normal risk profile. Your overall risk of having an incident or breach is unchanged. Consider your profile “average”. |
|
+9 to +29 |
This is a high risk profile. You have a higher probability of experiencing an incident or breach than most organizations. |
|
+30 or up |
This is a critical risk profile. This is effectively “Danger Will Robinson” mode. You should definitely be implementing risk mitigating strategies to help reduce your exposure when you have an incident or breach. |
The process has value for a couple reasons. First, thinking through the issues and understanding that all of the “+” elements increase your overall risk, and that all of the “-“ elements all decrease your overall risk.
Second, thinking specifically about the area in which you scored high in, and consider what mitigating actions you can take to:
- negate the increase in risk – For instance, consolidate HQS from three buildings to one building
- minimize the impact of the risk – Consider what you can do to make that issue a “non-issue”. Are there actions you can take to stop being a target of hacktivists? If you had a breach 14 months ago, maybe you initiate refresher training, or conduct a practice exercise, to help make sure people are not forgetting the lessons they learned during the previous incident.
Personally, I would also do this: use the Risk Profile number as a Risk Factor when considering my BIA results. Divide the Risk Profile by 100, then add it to 1.0 to get a Risk Factor. I multiply my BIA results by my Risk Factor to get a better reflection of my expected risk.
Say I scored a Risk Profile of +10.
10/100 =.1
1.0+.1=1.1
If my BIA comes out to say I currently have an exposure of $3,000,000, I am going to multiply that by my risk factor, so 1.1*$3,000,000=$3,300,000. So, I am using the number $3.3M in my risk management planning.
Unfortunately, in many cases, there is not a lot you can really do to impact the specific risk elements. Big Blue Bank can’t just stop being a member of the financial industry, but they can understand that they have many of these risk elements, and can take additional action to reduce their exposure elsewhere, such as making sure employees are paid appropriately, watching the impact of M&A activities, and actively working to avoid being a target of hackers or hacktivists.
Oh. And, yes. Do a BIA…
