Measuring Security Value.
Posted on 22/05/20 in
Here is the fourth instalment from Abhishek Vyas in our Security series, providing context around how you can demonstrate the value of security.
If you would like to know more please do get in touch with us.
With security spanning confidentiality, integrity and availability — it can become quite difficult to understand the value that security brings. Its not as simple for systems to just be online, its not as simple as just hosting data on a set of redundant disks.
In light of GDPR and associated data breach fines, it has become some what easier to lobby for security spend. Taking a different approach, can having good security help the business release products to market faster?
There are several benefits to having security baked into ways of working for the business, which can result in increased customer confidence and a lower likelihood of a data breach.
- Security brings in several stakeholders, as an end to end understanding of the system is needed (e.g. application, infrastructure, processes etc). This can often make supporting it easier.
- Good security architecture can help build better IT systems, whilst implementing security requirements (confidentiality, integrity and availability).
- A risk assessment that has traceability to requirements can highlight business risks, allowing it to make appropriate decisions.
- Security assurance mechanisms can help maintain the security posture. This helps to ensure data is protected longer term, enabling the business to make safe use of it.
- Information Security accreditations e.g. ISO 27001 can be used to help give customers and suppliers confidence in the business.
As you can see from the above, there are several benefits of integrating security into the business, so there is some value, but the key question is how to measure it? Whilst this can be difficult, as value is generally subjective, there are some ways in which this can be gauged.
- Estimate the Asset Value (AV) — This is how much the asset it worth to the business e.g. £100,000
- Estimate the Exposure Factor (EF) (%) — This is how much the business will stand to lose as result of the asset being compromised (risk event) e.g. 30%
- From the above, we are able to calculate what the Single Loss Expectancy (SLE) SLE = AV x EF (£100,000 x 30%) = £30,000
- If the likelihood of a risk event occurring is once every two years (0.5), then ALE Annualised Loss Expectancy) = £30,000 x 0.5 = £15,000
If the business were to assume that a breach is more likely than not, getting a view on asset value can help plan the security spend, and help demonstrate how much value is being protected by the security counter measures deployed.
Applying a good security architecture, deploying appropriate countermeasures and backing that up with scalable assurance processes can help maximise the value (given that much of this can be re-usable if deployed correctly).