Firewall Wizards mailing list archives

Re: Security policy and risk analysis questions

From: Bennett Todd <bet () newritz mordor net>
Date: Wed, 28 Apr 1999 13:50:14 +0000

1999-04-27-15:57:56 Frank Pawlak:

I am in the process of developing a network security policy and am stuck in
a few areas.  So far I have completed the following:

 - Identified the assets to be protected
 - Defined what those assets are worth to the organization
 - Identified the sources of attack

My question concerns the risk analysis. It is my understanding that the risk
analysis is used to determine the amount to spend to protect the assets.
My problem is assigning a probability to any of the defined threats that
an attack will occur from that threat. I realize that this is a highly
subjective area. I have searched many books and articles on security policy
development without getting much information in this particular area of the
risk analysis.


I doubt you'll find anything useful there; the problem is, things won't hold
still long enough to collect meaningful statistics. You the question you're
asking ends up reducing to "what are the odds that someone will write and
distribute an easy-to-use exploit", and the like.

Fortunately, this doesn't mean we can't do our job:-).

The easy way to tackle the problem works just about all the time: having
identified assets and threats to those assets, evaluate protective measures
available, and insofar as possible stick to a policy that mandates
conservative protections that do not hinder peoples' ability to get their
work done. Turns out that's not too hard most of the time. When people start
pressing to get their latest new toy running, explain the threat potential,
and get 'em to provide the business case for their new service.

Risk managers make business judgements all day long without hard statistical
measures of some risks; that's just part of the job. As long as you can find a
line where the costs of generous protection aren't onerous, you can get by
without risk measures.

It seems pretty safe to always assign a near-unity probability to a given
threat being attempted; the resulting decisions seem reasonable, and when you
look back over recent history, that probability seems to be justified:-). One
week a theat is a theoretical discussion of a potential weakness; the next
it's an announcement from CERT and emergency bugfix releases from vendors.

-Bennett

Current thread:

Security policy and risk analysis questions Frank Pawlak (Apr 28)
- Re: Security policy and risk analysis questions Bennett Todd (Apr 28)
  - RE: Security policy and risk analysis questions Matt McClung (Apr 30)
- Re: Security policy and risk analysis questions Joseph Pung (Apr 29)