Montreal, February 5th, 2016.
The BYOR series, stands for Bring Your Own Risk and are aimed at providing a repository of multiple articles related to the trends and domains of information security risks. The acronym is inspired from the well-known ‘’Bring Your Own Device’’.
Risk is characterized as an intangible notion that humanity has always tried to predict, avoid and master for a very long time. Due to its unpredictable character and multiple forms, risk has always been studied and formalized as a potentiality level coupled with a certain level of impact. It’s even more complex when this concept of risk is applied to information systems.
Development and profusion, throughout the last decade, of information systems, platforms, and applications, initiated a radical turn on information security trend. Enterprises top executives were progressively but slowly becoming aware of the threats and related expositions of their information environments and related systems.
Unfortunately, they mainly were on a passive position regarding their asset security and they are still holding this position, for the majority. The cause? It would be very presumptuous to subject this situation to only one cause, but we will start this first chapter of a long series by a cause related to the cost.
Inside these series of publications and articles we will explore different domains that will be considered as corner stones of an organized, robust and dynamic information security architecture. Starting with the analysis of financial allocation concerning information security, we will try to seek and compare the logical links between the assumptions and resultants produced by the risk management process, the prioritization of investment concerning the protection of information assets and the empirical level of risk VS investments, as seen through different companies. Retun On Security Investment (ROSI) will be one of the base term on the next article.
Every information security department has a fixed budget and related expenditure tends to also have a major influence on security posture. Expenses will, theoretically, be prioritized to follow the actual information security program by priority order in way to enhance the security architecture, if there’s any. Those cost limitations coupled with a poor prioritization on security projects doesn’t allow the enterprise to fully evolve and grow its information security policies as it should.
Although we cannot fully anticipate an adverse event, several common methodologies are able to implement and use some specific structuration when it comes to risk appreciation and analysis. A study made through my thesis brought me to see and consider those risk analysis approach as an excellent source of information in way to build a risk evaluation framework and profit from those benefits to increase the enterprise information security posture.
As a matter of fact, a part of this study was aimed at providing precise conclusion regarding the utility and the ways those methods could be reinforced in order to better relate to the enterprise reality. One of the major point that came out was concerning the subjectivity of the risk perception. Yes, the perception and the opinion of the group or individual responsible for conducting the risk assessment process through a scenario based approach.
Depending on the scenario, several study cases have proved that this perception could completely differ from one resource to another. Evaluating the potentiality and/or the impact of a risk is extremely important and a thorough evaluation is directly related to the risk level accuracy. This precision will then determine the estimation and prioritization of treatment regarding related risks.
See you in two weeks for the first article of this series who will involve an in-depth analysis regarding InfoSec investments and priority.
Alexandre Pieyre, M.Sc., CISM, CEH, CCNP
Information Security Consultant
