Tuesday, October 25, 2005

Empirical Formulas in Security

When you need to explain a difficult concept, sometime is easy to visualize it through empirical formulas. Another good way is visualize a concept with metaphor (my next post). In security I found out useful the following formulas:
Security depends on policies, tools and commitment from management:
Security= (Policies^2+Tools)*Commitment

In the formula there is more emphasis (importance) on policies and procedures than tools.
If I change policies by a factor of 2 than security changes by a factor of 4. If I change tools by a factor of 2, security changes by a factor of 2. Basically there is more payoff on changing policies and procedures than tools. Commitment is the most critical since is a multiplier. If there is no Commitment there is no security nullifying all the roll out of policies and the expense on buying tools.

Interesting empirical formulas can also be used to explain risk. Assume the basic formulation:  a Technical risk is the likelihood that threat will exploit a vulnerability to cause an technical impact to the system:
Technical Risk = Threat X Vulnerability X Impact

If you would like to put the emphasis on assets as relate to impact you can also formulate risk as: Risk is the probability of an attack on an asset exposed by vulnerability, Qualitatively can be HIGH, MEDIUM or LOW:

Qualitative  Risk = Vulnerability * Asset * Attack

For example there is a threat but the application is not vulnerable (Vulnerability=0) so there is no risk. Or there are both threat and a vulnerability but there is no asset data (Asset=0, Impact=0) so there is no risk.

Keep in mind that these are empirical formulations for qualitative analysis and not formulation for quantify risk while doing a cost vs. benefit risk analysis such as cost of loss vs. benefit of money invested in security control. The risk of quantitative loss can be formulated as Annualized Loss Expectancy (ALO) = Single Loss Expectancy (SLO) * Annual Rate Of Occurrence (ARO)).


You can use these risk qualitative formulas to introduce the concept of security risks and of the main factors that can be used for qualitative risk analysis.

1 comment:

Mohamed Witten said...

A bit late on this one, however I found it beneficial. If you have anything more of can point me to some more resources for quantifying risk. Please let me know.