Firewall Wizards mailing list archives
Re: Security policy and risk analysis questions
From: Bennett Todd <bet () newritz mordor net>
Date: Wed, 28 Apr 1999 13:50:14 +0000
1999-04-27-15:57:56 Frank Pawlak:
I am in the process of developing a network security policy and am stuck in a few areas. So far I have completed the following: - Identified the assets to be protected - Defined what those assets are worth to the organization - Identified the sources of attack My question concerns the risk analysis. It is my understanding that the risk analysis is used to determine the amount to spend to protect the assets. My problem is assigning a probability to any of the defined threats that an attack will occur from that threat. I realize that this is a highly subjective area. I have searched many books and articles on security policy development without getting much information in this particular area of the risk analysis.
I doubt you'll find anything useful there; the problem is, things won't hold still long enough to collect meaningful statistics. You the question you're asking ends up reducing to "what are the odds that someone will write and distribute an easy-to-use exploit", and the like. Fortunately, this doesn't mean we can't do our job:-). The easy way to tackle the problem works just about all the time: having identified assets and threats to those assets, evaluate protective measures available, and insofar as possible stick to a policy that mandates conservative protections that do not hinder peoples' ability to get their work done. Turns out that's not too hard most of the time. When people start pressing to get their latest new toy running, explain the threat potential, and get 'em to provide the business case for their new service. Risk managers make business judgements all day long without hard statistical measures of some risks; that's just part of the job. As long as you can find a line where the costs of generous protection aren't onerous, you can get by without risk measures. It seems pretty safe to always assign a near-unity probability to a given threat being attempted; the resulting decisions seem reasonable, and when you look back over recent history, that probability seems to be justified:-). One week a theat is a theoretical discussion of a potential weakness; the next it's an announcement from CERT and emergency bugfix releases from vendors. -Bennett
Current thread:
- Security policy and risk analysis questions Frank Pawlak (Apr 28)
- Re: Security policy and risk analysis questions Bennett Todd (Apr 28)
- RE: Security policy and risk analysis questions Matt McClung (Apr 30)
- Re: Security policy and risk analysis questions Joseph Pung (Apr 29)
- Re: Security policy and risk analysis questions Bennett Todd (Apr 28)