If an security risk scoring system does not including data about expected finacial loss ($), or the likelihood of loss, how helpful to the business can it possibly be?
Without that, InfoSec is still in the red-yellow-green light phase of risk management.
Without that, InfoSec is still in the red-yellow-green light phase of risk management.
Collecting my thoughts. What data types are need for effective industry-wide InfoSec risk management (financial loss).
1) Adversary: An general understanding of thier motivation, level of skill, determination, and targets of focus.
1) Adversary: An general understanding of thier motivation, level of skill, determination, and targets of focus.
2) Vulnerability Landscape: A complete [as possible] database for all industry software vulnerabilities.
3) IT Environment: Complete technical details about the size and makeup of an IT environment, includuing security controls and exposed vulnerabilities.
3) IT Environment: Complete technical details about the size and makeup of an IT environment, includuing security controls and exposed vulnerabilities.
4) Incident / Loss Data: When breaches occur, as much actuarial data as possible, including the financial losses data.
If this is generally correct, then the next question is what entities in the market have the best access to these data types.
If this is generally correct, then the next question is what entities in the market have the best access to these data types.
1) Adversary: Threat Intel, Cyber-Insurance Carriers, Incident Responders
2) Vulnerability Landscape: Vulnerability Management, Vulnerability DB's (ie OSVDB, MITRE)
3) IT Environment: DevOps Teams, InfoSec Teams, Vulnerability Management, Asset Inventory
2) Vulnerability Landscape: Vulnerability Management, Vulnerability DB's (ie OSVDB, MITRE)
3) IT Environment: DevOps Teams, InfoSec Teams, Vulnerability Management, Asset Inventory
4) Incident / Financial Loss: Cyber-Insurance Carriers, Incident Responders
… a work in progess.
… a work in progess.
